Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
2.7.2, 2.7.3, 2.7.4
-
None
-
ALL
Description
The basic SCRAM-SHA-1 support added in 2.7.2 seems to be broken. A SASL conversation can be completed following RFC 5802 (the v field value returned from the server matches the server signature calculated on the client), but the server returns
{done: false}and any subsequent operations fail authorization.
Example user:
> db.system.users.findOne()
|
{
|
"_id" : "admin.admin",
|
"user" : "admin",
|
"db" : "admin",
|
"credentials" : {
|
"SCRAM-SHA-1" : {
|
"iterationCount" : 10000,
|
"salt" : "3L2ChDOtpFE3t7dbOwAPdQ==",
|
"storedKey" : "wnUNZ+Wl/B+k1+RBNfb4hihgapo=",
|
"serverKey" : "3Q5qYn40wXktIB2M3SkK+czdXNg="
|
},
|
"MONGODB-CR" : "e4e538f5dcb52537cad02bbf8491693c"
|
},
|
"roles" : [
|
{
|
"role" : "root",
|
"db" : "admin"
|
}
|
]
|
}
|
>
|
Example authentication attempt with debug output:
>>> c.admin.authenticate('admin', 'pass', mechanism='SCRAM-SHA-1')
|
|
|
C: SON([('saslStart', 1), ('mechanism', 'SCRAM-SHA-1'), ('payload', Binary(b'n,,n=admin,r=NzcyOTU5MDIwNDAyNTc3NA==', 0)), ('autoAuthorize', 1)])
|
S: {'done': False, 'payload': b'r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,s=3L2ChDOtpFE3t7dbOwAPdQ==,i=10000', 'conversationId': 1, 'ok': 1.0}
|
|
|
server provided salt: b'3L2ChDOtpFE3t7dbOwAPdQ=='
|
client generated storedKey: b'wnUNZ+Wl/B+k1+RBNfb4hihgapo='
|
client generated serverKey: b'3Q5qYn40wXktIB2M3SkK+czdXNg='
|
client generated v: b'ss94QBaOXP1cQGYhgjuyDDMipO8='
|
|
|
C: SON([('saslContinue', 1), ('conversationId', 1), ('payload', Binary(b'c=biws,r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,p=yyZMbWaB2Yo7HBqFlr+9I6N+ho0=', 0))])
|
S: {'done': False, 'payload': b'v=ss94QBaOXP1cQGYhgjuyDDMipO8=', 'conversationId': 1, 'ok': 1.0}
|
Server binaries were built with the enterprise modules. Mongod started like so:
mongod --dbpath ~/data/db --auth --setParameter authenticationMechanisms=SCRAM-SHA-1,MONGODB-CR
|
Attachments
Issue Links
- is depended on by
-
SERVER-7596 Support SCRAM-SHA-1 SASL Mechanism
-
- Closed
-
-
DRIVERS-166 Implement the SCRAM-SHA-1 SASL Mechanism
-
- Closed
-