Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39404

SASL negotiation in shell 4.0.5 fails to authenticate SCRAM-SHA-256 user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Duplicate
    • Affects Version/s: 4.0.5, 3.6.10
    • Fix Version/s: None
    • Component/s: Security, Shell
    • Labels:
      None
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      Start a standalone 4.0.5 server with a config similar to:

      processManagement:
        fork: true
       
      storage:
        dbPath: data/m
        journal:
          enabled: true
       
      systemLog:
        destination: file
        logAppend: false
        path: data/m.log
       
      security:
        authorization: enabled
       
      setParameter:
        authenticationMechanisms: SCRAM-SHA-256
      

      Connect locally with the mongo shell, and create the first user: admin pwd: tester
      This user is created with SCRAM-SHA-256 credentials.

      au = {
          user: 'admin',
          pwd: 'tester',
          roles: ['root']
      };
       
      adb = db.getSiblingDB('admin');
      adb.createUser(au);
      

      Exit, and run a mongo shell 4.0.5, note the authentication failure – this is the bug

      Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin
      MongoDB shell version v4.0.5
      connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb
      2019-02-06T14:12:36.240-0600 E QUERY    [js] Error: Authentication failed. :
      connect@src/mongo/shell/mongo.js:328:13
      @(connect):1:6
      exception: connect failed
      

      This message is logged in the server:

      2019-02-06T14:12:36.239-0600 I ACCESS   [conn5] SASL SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:52258 ; BadValue: SCRAM-SHA-1 authentication is disabled
      

      The workaround is to explicitly specify the authentication mechanism:

      Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin --authenticationMechanism SCRAM-SHA-256
      MongoDB shell version v4.0.5
      connecting to: mongodb://127.0.0.1:27017/?authMechanism=SCRAM-SHA-256&authSource=admin&gssapiServiceName=mongodb
      Implicit session: session { "id" : UUID("13346da3-f927-4c38-a93c-6f36a7e0aaa0") }
      MongoDB server version: 4.0.5
      Server has startup warnings:
      (elided)
      MongoDB Enterprise >
      

      Now try the mongo shell version 4.0.4, note the authentication success:

      Spencer-Brown:repros spencer$ /usr/local/bin/mongodb-4.0.4-ent/mongo --username admin --password tester --authenticationDatabase admin
      MongoDB shell version v4.0.4
      connecting to: mongodb://127.0.0.1:27017
      Implicit session: session { "id" : UUID("dfe3d0d1-3192-4fe6-9186-5d4956552c4d") }
      MongoDB server version: 4.0.5
      Server has startup warnings:
      (elided)
      MongoDB Enterprise >
      

      Show
      Start a standalone 4.0.5 server with a config similar to: processManagement: fork: true   storage: dbPath: data/m journal: enabled: true   systemLog: destination: file logAppend: false path: data/m.log   security: authorization: enabled   setParameter: authenticationMechanisms: SCRAM-SHA-256 Connect locally with the mongo shell, and create the first user: admin pwd: tester This user is created with SCRAM-SHA-256 credentials. au = { user: 'admin', pwd: 'tester', roles: ['root'] };   adb = db.getSiblingDB('admin'); adb.createUser(au); Exit, and run a mongo shell 4.0.5, note the authentication failure – this is the bug Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb 2019-02-06T14:12:36.240-0600 E QUERY [js] Error: Authentication failed. : connect@src/mongo/shell/mongo.js:328:13 @(connect):1:6 exception: connect failed This message is logged in the server: 2019-02-06T14:12:36.239-0600 I ACCESS [conn5] SASL SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:52258 ; BadValue: SCRAM-SHA-1 authentication is disabled The workaround is to explicitly specify the authentication mechanism: Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin --authenticationMechanism SCRAM-SHA-256 MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?authMechanism=SCRAM-SHA-256&authSource=admin&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("13346da3-f927-4c38-a93c-6f36a7e0aaa0") } MongoDB server version: 4.0.5 Server has startup warnings: (elided) MongoDB Enterprise > Now try the mongo shell version 4.0.4, note the authentication success: Spencer-Brown:repros spencer$ /usr/local/bin/mongodb-4.0.4-ent/mongo --username admin --password tester --authenticationDatabase admin MongoDB shell version v4.0.4 connecting to: mongodb://127.0.0.1:27017 Implicit session: session { "id" : UUID("dfe3d0d1-3192-4fe6-9186-5d4956552c4d") } MongoDB server version: 4.0.5 Server has startup warnings: (elided) MongoDB Enterprise >
    • Sprint:
      Security 2019-02-25, Security 2019-03-11, Security 2019-03-25, Security 2019-04-08
    • Case:

      Description

      When a user has SCRAM-SHA-256 credentials, the mongo shell negotiates the SASL authentication mechanism when no explicit authentication mechanism is given. See SERVER-32977.

      With a mongod version 4.0.5 with only the SCRAM-SHA-256 authentication mechanism enabled, the mongo shell version 4.0.4 successfully authenticates but the mongo shell version 4.0.5 does not. This appears to be a regression in 4.0.5.

      The workaround is to specify the authentication mechanism as SCRAM-SHA-256.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: