Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39404

SASL negotiation in shell 4.0.5 fails to authenticate SCRAM-SHA-256 user

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 3.6.10, 4.0.5
    • Component/s: Security, Shell
    • Labels:
      None
    • ALL
    • Hide

      Start a standalone 4.0.5 server with a config similar to:

      processManagement:
  fork: true

storage:
  dbPath: data/m
  journal:
    enabled: true

systemLog:
  destination: file
  logAppend: false
  path: data/m.log

security:
  authorization: enabled

setParameter:
  authenticationMechanisms: SCRAM-SHA-256

      Connect locally with the mongo shell, and create the first user: admin pwd: tester
      This user is created with SCRAM-SHA-256 credentials.

      au = {
    user: 'admin',
    pwd: 'tester',
    roles: ['root']
};

adb = db.getSiblingDB('admin');
adb.createUser(au);

      Exit, and run a mongo shell 4.0.5, note the authentication failure – this is the bug

      Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin
MongoDB shell version v4.0.5
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb
2019-02-06T14:12:36.240-0600 E QUERY    [js] Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:328:13
@(connect):1:6
exception: connect failed

      This message is logged in the server:

      2019-02-06T14:12:36.239-0600 I ACCESS   [conn5] SASL SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:52258 ; BadValue: SCRAM-SHA-1 authentication is disabled

      The workaround is to explicitly specify the authentication mechanism:

      Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin --authenticationMechanism SCRAM-SHA-256
MongoDB shell version v4.0.5
connecting to: mongodb://127.0.0.1:27017/?authMechanism=SCRAM-SHA-256&authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("13346da3-f927-4c38-a93c-6f36a7e0aaa0") }
MongoDB server version: 4.0.5
Server has startup warnings:
(elided)
MongoDB Enterprise >

      Now try the mongo shell version 4.0.4, note the authentication success:

      Spencer-Brown:repros spencer$ /usr/local/bin/mongodb-4.0.4-ent/mongo --username admin --password tester --authenticationDatabase admin
MongoDB shell version v4.0.4
connecting to: mongodb://127.0.0.1:27017
Implicit session: session { "id" : UUID("dfe3d0d1-3192-4fe6-9186-5d4956552c4d") }
MongoDB server version: 4.0.5
Server has startup warnings:
(elided)
MongoDB Enterprise >
      Show
      Start a standalone 4.0.5 server with a config similar to: processManagement: fork: true storage: dbPath: data/m journal: enabled: true systemLog: destination: file logAppend: false path: data/m.log security: authorization: enabled setParameter: authenticationMechanisms: SCRAM-SHA-256 Connect locally with the mongo shell, and create the first user: admin pwd: tester This user is created with SCRAM-SHA-256 credentials. au = { user: 'admin', pwd: 'tester', roles: ['root'] }; adb = db.getSiblingDB('admin'); adb.createUser(au); Exit, and run a mongo shell 4.0.5, note the authentication failure – this is the bug Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb 2019-02-06T14:12:36.240-0600 E QUERY [js] Error: Authentication failed. : connect@src/mongo/shell/mongo.js:328:13 @(connect):1:6 exception: connect failed This message is logged in the server: 2019-02-06T14:12:36.239-0600 I ACCESS [conn5] SASL SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:52258 ; BadValue: SCRAM-SHA-1 authentication is disabled The workaround is to explicitly specify the authentication mechanism: Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin --authenticationMechanism SCRAM-SHA-256 MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?authMechanism=SCRAM-SHA-256&authSource=admin&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("13346da3-f927-4c38-a93c-6f36a7e0aaa0") } MongoDB server version: 4.0.5 Server has startup warnings: (elided) MongoDB Enterprise > Now try the mongo shell version 4.0.4, note the authentication success: Spencer-Brown:repros spencer$ /usr/local/bin/mongodb-4.0.4-ent/mongo --username admin --password tester --authenticationDatabase admin MongoDB shell version v4.0.4 connecting to: mongodb://127.0.0.1:27017 Implicit session: session { "id" : UUID("dfe3d0d1-3192-4fe6-9186-5d4956552c4d") } MongoDB server version: 4.0.5 Server has startup warnings: (elided) MongoDB Enterprise >
    • Security 2019-02-25, Security 2019-03-11, Security 2019-03-25, Security 2019-04-08

      When a user has SCRAM-SHA-256 credentials, the mongo shell negotiates the SASL authentication mechanism when no explicit authentication mechanism is given. See SERVER-32977.

      With a mongod version 4.0.5 with only the SCRAM-SHA-256 authentication mechanism enabled, the mongo shell version 4.0.4 successfully authenticates but the mongo shell version 4.0.5 does not. This appears to be a regression in 4.0.5.

      The workaround is to specify the authentication mechanism as SCRAM-SHA-256.

            Assignee:
            shreyas.kalyan@mongodb.com Shreyas Kalyan
            Reporter:
            spencer.brown@mongodb.com Spencer Brown
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: