[SERVER-10339] MONGODB-X509 user authentication should not require the clusterAuthMode option. Created: 25/Jul/13  Updated: 11/Jul/16  Resolved: 12/Sep/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.1
Fix Version/s: 2.5.3

Type: Bug Priority: Major - P3
Reporter: Bernie Hackett Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File client.pem    
Issue Links:
Depends
Operating System: ALL
Steps To Reproduce:

Configure mongod without clusterAuthMode:

$ ./mongod --dbpath /storage/data/db/ --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl.pem --auth

The shell fails authentication:

$ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem
MongoDB shell version: 2.5.1
connecting to: test
Server has startup warnings: 
** NOTE: This is a development version (2.5.1) of MongoDB.
**       Not recommended for production.
> use $external
switched to db $external
> db.auth({mechanism: 'MONGODB-X509'})
Error: 18 { code: 18, ok: 0.0, errmsg: "X509 authentication is not allowed for cluster authentication" }
0

Restart mongod with clusterAuthMode x509:

$ ./mongod --dbpath /storage/data/db/ --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl.pem --auth --clusterAuthMode x509

Shell authentication succeeds:

$ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem
MongoDB shell version: 2.5.1
connecting to: test
Server has startup warnings: 
** NOTE: This is a development version (2.5.1) of MongoDB.
**       Not recommended for production.
> use $external
switched to db $external
> db.auth({mechanism: 'MONGODB-X509'})
1

Participants:

 Description   

To use the MONGODB-X509 mechanism you currently have to configure mongod with "--clusterAuthMode x509", but that option is for internal (keyFile replacement) authentication, not user auth.



 Comments   
Comment by auto [ 12/Sep/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-10339 Added client_revoked.pem cert for CRL test
Branch: master
https://github.com/mongodb/mongo/commit/98c273d6a9a0aa62182e46ef5c45ed5549d7ce04

Comment by auto [ 12/Sep/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-10339 Changed OU in client.pem and changed failed x.509 auth msg
Branch: master
https://github.com/mongodb/mongo/commit/304acad4f7c021441aa3e5d019d5a9060bca9532

Comment by Bernie Hackett [ 23/Aug/13 ]

andreas.nilsson@10gen.com, well, ca.pem (I assume) is used to validate the client cert, and I figured changing the subject might cause that to no longer work? I'm probably just confused.

As for the log message, maybe just add something about the provided "user" matching the clusterauth user before "X509 authentication is not allowed for cluster authentication"?

Comment by Eric Milkie [ 23/Aug/13 ]

attached new client.pem with ou of "kerneluser"

Comment by Andreas Nilsson [ 23/Aug/13 ]

agree with both points,
milkie can you generate a new client.pem and change the OU to something different.

With regards to the error message I'm not sure how we can distinguish between a client using an incorrect certificate and a server not running with clusterAuthMode when it should. I guess the message could be extended to include both scenarios.

behackett why would ca.pem need to be changed?

Comment by Bernie Hackett [ 22/Aug/13 ]

andreas.nilsson@10gen.com, indeed that is the problem. The server.pem and client.pem files in jstest/libs have the same subject name. My apologies. I think we need a better error message here. I would imagine end users are going to be equally confused.

We should probably also change client.pem to use a different subject (or add a new client pem file) and update ca.pem to make testing easier and less confusing.

Comment by Andreas Nilsson [ 22/Aug/13 ]

behackett this is expected behavior if the subject name of the client certificate matches the subject name of the server certificate. The client is then assumed to be part of the cluster and not a client. Can you verify that this is not the case.

Comment by Bernie Hackett [ 21/Aug/13 ]

This issue isn't fixed. I still have the same problem with github master at commit 3ae747331fc37e7826f6cd20088bee76b3a7bb00

Without --clusterAuthMode x509:

behackett@behackett-dt ~/work/mongo $ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem
MongoDB shell version: 2.5.2-pre-
connecting to: test
Server has startup warnings: 
2013-08-21T14:58:20.241-0700 [initandlisten] 
2013-08-21T14:58:20.241-0700 [initandlisten] ** NOTE: This is a development version (2.5.2-pre-) of MongoDB.
2013-08-21T14:58:20.241-0700 [initandlisten] **       Not recommended for production.
2013-08-21T14:58:20.241-0700 [initandlisten] 
> 
> 
> use admin
switched to db admin
> db.runCommand('getCmdLineOpts')
{
	"argv" : [
		"./mongod",
		"--dbpath",
		"/storage/data/db/",
		"--sslOnNormalPorts",
		"--sslPEMKeyFile",
		"jstests/libs/server.pem",
		"--sslCAFile",
		"jstests/libs/ca.pem",
		"--sslCRLFile",
		"jstests/libs/crl.pem",
		"--auth"
	],
	"parsed" : {
		"auth" : true,
		"dbpath" : "/storage/data/db/",
		"sslCAFile" : "jstests/libs/ca.pem",
		"sslCRLFile" : "jstests/libs/crl.pem",
		"sslOnNormalPorts" : true,
		"sslPEMKeyFile" : "jstests/libs/server.pem"
	},
	"ok" : 1
}
> use $external
switched to db $external
> db.auth({user: "emailAddress=root@lazarus,CN=client,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", mechanism: "MONGODB-X509"})
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
0
> use admin
switched to db admin
> db.addUser({user: "emailAddress=root@lazarus,CN=client,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", userSource: '$external', roles: ['dbAdminAnyDatabase']})
{
	"user" : "emailAddress=root@lazarus,CN=client,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US",
	"userSource" : "$external",
	"roles" : [
		"dbAdminAnyDatabase"
	]
}
> use $external
switched to db $external
> db.auth({user: "emailAddress=root@lazarus,CN=client,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", mechanism: "MONGODB-X509"})
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
0
> 

The server log message:

2013-08-21T15:06:53.569-0700 [conn1] Failed to authenticate emailAddress=root@lazarus,CN=client,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US@$external with mechanism MONGODB-X509: AuthenticationFailed X509 authentication is not allowed for cluster authentication

Once I add --clusterAuthMode x509:

> db.runCommand('getCmdLineOpts')
{
	"argv" : [
		"./mongod",
		"--dbpath",
		"/storage/data/db/",
		"--sslOnNormalPorts",
		"--sslPEMKeyFile",
		"jstests/libs/server.pem",
		"--sslCAFile",
		"jstests/libs/ca.pem",
		"--sslCRLFile",
		"jstests/libs/crl.pem",
		"--auth",
		"--clusterAuthMode",
		"x509"
	],
	"parsed" : {
		"auth" : true,
		"clusterAuthMode" : "x509",
		"dbpath" : "/storage/data/db/",
		"sslCAFile" : "jstests/libs/ca.pem",
		"sslCRLFile" : "jstests/libs/crl.pem",
		"sslOnNormalPorts" : true,
		"sslPEMKeyFile" : "jstests/libs/server.pem"
	},
	"ok" : 1
}
> use $external
switched to db $external
> db.auth({user: "emailAddress=root@lazarus,CN=client,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", mechanism: "MONGODB-X509"})
1

Buildinfo:

> db.runCommand('buildinfo')
{
	"version" : "2.5.2-pre-",
	"gitVersion" : "3ae747331fc37e7826f6cd20088bee76b3a7bb00",
	"OpenSSLVersion" : "OpenSSL 1.0.1c 10 May 2012",
	"sysInfo" : "Linux behackett-dt 3.8.13-gentoo #1 SMP PREEMPT Mon May 20 18:30:28 PDT 2013 x86_64 BOOST_LIB_VERSION=1_49",
	"loaderFlags" : "-fPIC -pthread -Wl,-z,now -rdynamic",
	"compilerFlags" : "-Wnon-virtual-dtor -Woverloaded-virtual -fPIC -fno-strict-aliasing -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -Werror -pipe -O3 -Wno-unused-function -Wno-deprecated-declarations -fno-builtin-memcmp",
	"allocator" : "tcmalloc",
	"versionArray" : [
		2,
		5,
		2,
		-100
	],
	"javascriptEngine" : "V8",
	"bits" : 64,
	"debug" : false,
	"maxBsonObjectSize" : 16777216,
	"ok" : 1
}

Commit a277977911509f91e19847b85c2498437d8859a1 is definitely in my tree and included in this build, but it doesn't appear to have anything to do with this issue.

Comment by auto [ 30/Jul/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-10339 MONGODB-X509 client auth should not require clusterAuthMode
Branch: master
https://github.com/mongodb/mongo/commit/a277977911509f91e19847b85c2498437d8859a1

Generated at Thu Feb 08 03:22:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.