Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20365

"authentication failed, storedKey mismatch" on synthetic users and databases with '@'

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.1.7
    • Fix Version/s: 3.3.9
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      In one window:

      > use y@z
      switched to db y@z
      > db.createUser({user: "x", pwd: "pwd", roles: []})
      Successfully added user: { "user" : "x", "roles" : [ ] }
      > db.auth("x", "pwd")
      1
      

      In another:

      > use z
      switched to db z
      > db.createUser({user: "x@y", pwd: "pwd", roles: []})
      Successfully added user: { "user" : "x@y", "roles" : [ ] }
      > db.auth("x@y", "pwd")
      1
      

      Return to the first window:

      > db.auth("x", "pwd")
      Error: Authentication failed.
      0
      

      Mongod will report:

      2015-09-10T18:47:18.852-0400 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:51466 #1 (1 connection now open)
      2015-09-10T18:47:42.931-0400 I COMMAND  [conn1] command y@z.$cmd command: createUser { createUser: "x", pwd: "xxx", roles: [], digestPassword: false, writeConcern: { w: "majority", wtimeout: 30000.0 } } ntoreturn:1 ntoskip:0 keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_command 164ms
      2015-09-10T18:47:49.627-0400 I ACCESS   [conn1] Successfully authenticated as principal x on y@z
      2015-09-10T18:47:57.537-0400 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:51468 #2 (2 connections now open)
      2015-09-10T18:48:10.693-0400 I ACCESS   [conn2] Successfully authenticated as principal x@y on z
      2015-09-10T18:48:18.226-0400 I ACCESS   [conn1] SCRAM-SHA-1 authentication failed for x on y@z from client 127.0.0.1 ; AuthenticationFailed SCRAM-SHA-1 authentication failed, storedKey mismatch
      

      Show
      In one window: > use y@z switched to db y@z > db.createUser({user: "x", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x", "roles" : [ ] } > db.auth("x", "pwd") 1 In another: > use z switched to db z > db.createUser({user: "x@y", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x@y", "roles" : [ ] } > db.auth("x@y", "pwd") 1 Return to the first window: > db.auth("x", "pwd") Error: Authentication failed. 0 Mongod will report: 2015-09-10T18:47:18.852-0400 I NETWORK [initandlisten] connection accepted from 127.0.0.1:51466 #1 (1 connection now open) 2015-09-10T18:47:42.931-0400 I COMMAND [conn1] command y@z.$cmd command: createUser { createUser: "x", pwd: "xxx", roles: [], digestPassword: false, writeConcern: { w: "majority", wtimeout: 30000.0 } } ntoreturn:1 ntoskip:0 keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_command 164ms 2015-09-10T18:47:49.627-0400 I ACCESS [conn1] Successfully authenticated as principal x on y@z 2015-09-10T18:47:57.537-0400 I NETWORK [initandlisten] connection accepted from 127.0.0.1:51468 #2 (2 connections now open) 2015-09-10T18:48:10.693-0400 I ACCESS [conn2] Successfully authenticated as principal x@y on z 2015-09-10T18:48:18.226-0400 I ACCESS [conn1] SCRAM-SHA-1 authentication failed for x on y@z from client 127.0.0.1 ; AuthenticationFailed SCRAM-SHA-1 authentication failed, storedKey mismatch
    • Sprint:
      Security 15 (06/03/16), Security 16 (06/24/16)

      Description

      _emphasized text_It appears that comparison of UserName objects doesn't take into account the location of the splitpoint, between usernames and database names. This means when you have two users, one named 'x' on DB 'y@z' and one named 'x@y' on DB 'z', a conflict is possible which prevents one from logging in.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              spencer.jackson Spencer Jackson
              Reporter:
              spencer.jackson Spencer Jackson
              Participants:
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: