Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-51457

Improve log line for failed speculative auth attempts

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.9.0, 4.4.6
    • Component/s: None
    • Labels:
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.4
    • Sprint:
      Security 2020-11-30, Security 2020-12-14
    • Case:

      Description

      If a user is created with auth mechanism SCRAM-SHA-1 and the URI provided to the driver does not have an authMechanism parameter, the driver will attempt to do speculative authentication using the SCRAM-SHA-256 mechanism per the MongoDB Handshake specification. On a 4.4+ server, this generates a log line like

      {"t":{"$date":"2020-10-06T13:09:11.911-04:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn14","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-256","principalName":"user","authenticationDatabase":"admin","client":"127.0.0.1:51939","result":"AuthenticationFailed: Unable to use SCRAM-SHA-256 based authentication for user without any SCRAM-SHA-256 credentials registered"}}
      

      According to Sara Golemon, logging this is important because otherwise, an attacker could try to brute force password guesses in isMaster attempts and the server wouldn't log anything. However, this is a confusing line to see in access logs because it makes it seem like something went wrong when everything is actually behaving as expected. Would it be possible to clarify that this is due to a failed speculative authentication attempt in the log?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              varun.ravichandran Varun Ravichandran
              Reporter:
              divjot.arora Divjot Arora
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: