Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-47429

authenticationMechanisms parameter is not validated

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Minor - P4 Minor - P4
    • 4.2.7, 4.4.0-rc4, 4.7.0
    • Affects Version/s: 4.2.3, 4.3.4
    • Component/s: None
    • Labels:
      None
    • Fully Compatible
    • ALL
    • v4.4, v4.2
    • Security 2020-04-20, Security 2020-05-04

      If I start a server with authenticationMechanisms set to the empty string it fails:

       /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms='' --auth 
      

      However if I supply a bogus value for the mechanisms the server seems to start just fine:

       /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms='!' --auth 
      

      It even claims to have accepted ! for the mechanisms:

      2020-04-08T22:04:45.981-0400 I  CONTROL  [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "!" }, storage: { dbPath: "/tmp/42" } }
      

      This becomes a more significant issue when the mechanisms are valid but not for the version of the server that is being launched. For example, the following invocation tries to start 4.2 with the aws mechanism and succeeds (subsequently failing all aws auth authentication attempts):

      /usr/local/m/versions/4.2/mongod --dbpath /tmp/42 --setParameter authenticationMechanisms=SCRAM-SHA-1,SCRAM-SHA-256,MONGODB-AWS --auth 
      
      

      As a user of the server, I would like the server to validate authenticationMechanisms parameter when it starts so that I am informed when I requested mechanisms that the server does not support, so that I can efficiently remedy the misconfiguration.

            Assignee:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Reporter:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: