[SERVER-11574] Server using SSPI doesn't reject credentials using the default "mongodb" service name when told to use a different service name Created: 05/Nov/13  Updated: 16/Apr/20  Resolved: 16/Apr/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.3
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Craig Wilson Assignee: Mark Benvenuto
Resolution: Cannot Reproduce Votes: 0
Labels: 26qa, platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Fully Compatible
Operating System: Windows
Sprint: Security 2020-04-20
Participants:

 Description   

When I start the server normally, then the server uses the "mongodb" service name. It accepts valid credentials where the client uses the "mongodb" service name and rejects valid credentials where the client uses the "mongoother" service name. This is what I would have expected to happen.

However, when I start the server with setParameter=saslServiceName=mongoother, I get different results. It accepts valid credentials where the client uses the "mongodb" service name and also accepts valid credentials where the client uses the "mongoother" service name.

I believe the server should either accept all service names that are registered with the owner's account, or only accept the one that is specified at startup (or the default when none is specified).



 Comments   
Comment by Mark Benvenuto [ 13/Apr/20 ]

I can confirm that MongoDB 4.4.0-rc0 accepts all SPNs with the owning account. The saslServiceName parameter is not actually used by the Windows SSPI code so it uses any SPN associated with the owning account on Windows.

Comment by Craig Wilson [ 06/Nov/13 ]

The owner of the process -> the user that mongod is running under.

Given a username of mongodrunner, I can associate any number of spn's with that account.

setspn -A mongodb/hostname.domain.com mongodrunner
setspn -A mongoother/hostname.domain.com mongodrunner

Now, mongodrunner has 2 spn's associated with his account. When I start mongod with setParameter=saslServiceName=mongodb, then mongod accepts authentications using the mongodb service name and rejects authentications using the mongoother service name. However, when I start mongod with setParameter=saslServiceName=mongoother, then mongod accepts authentications using either the mongodb service name or the mongoother service name.

I'm saying that there needs to be consistency. Either all spn's associated with the owning account (the account used to run the mongod process) need to work all the time, or only the one that is specified at startup should be allowed to work.

Hope that makes sense, not sure how else to state it.

Comment by Eric Milkie [ 06/Nov/13 ]

What do you mean by a "service name registered with the owner's account" – who is the owner?

Generated at Thu Feb 08 03:26:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.