[SERVER-12270] Make Kerberos auth error messages more verbose Created: 07/Jan/14  Updated: 08/Sep/14  Resolved: 04/Sep/14

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: None
Fix Version/s: 2.7.6

Type: Improvement Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: kerberos
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Participants:

 Description   

The Kerberos/SASL auth error document that is returned by the authentication command to the client should be made more verbose.

One example is:

// saslServerConnAuthorize in sasl_authentication_session.cpp
sasl_seterror(conn, 0, "saslServerConnAuthorize: ", "Requested identity not authenticated identity");

that could include the names of the two mismatching identities.



 Comments   
Comment by Githook User [ 04/Sep/14 ]

Author:

{u'name': u'Andreas Nilsson', u'email': u'agralius@gmail.com'}

Message: SERVER-12270 Fixed indent and namespace labeling
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/de388c3156d09156248759573d68a322a57697c3

Comment by Githook User [ 04/Sep/14 ]

Author:

{u'name': u'Andreas Nilsson', u'email': u'agralius@gmail.com'}

Message: SERVER-12270 Improve Kerberos error logging
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/f5a0e142726e1c879ed1f4dc5da3faac5f3aefeb

Comment by Andy Schwerin [ 15/Jan/14 ]

When we log the requested and authenticated user names, we should make sure to escape the strings, so non-printing characters show up.

Comment by Andy Schwerin [ 15/Jan/14 ]

This keeps coming up in support. We need to at least fix the Requested identity log message for 2.6.

Comment by Andy Schwerin [ 08/Jan/14 ]

This is about returning more information to the client, not logging. It would be nice to tell the client "you authenticated as bob@REALM1, but asked to be bob@OTHERREALM".

Comment by Spencer Brody (Inactive) [ 08/Jan/14 ]

the linux messages should probably contain the same info as the windows ones.

Comment by Andreas Nilsson [ 08/Jan/14 ]

Interesting, schwerinshould we close this then?

Comment by Eric Milkie [ 08/Jan/14 ]

The LOG(2) lines in mongo_sspi.cpp show all the names that we have, both authenticated and requested.

Comment by Andreas Nilsson [ 08/Jan/14 ]

Where does that output come from, the actual SASL library? I've seen nothing in the server code outputting that.

Comment by Eric Milkie [ 08/Jan/14 ]

At least in the Windows version of the SASL server, you can already raise the verbosity level to see the identity strings.

Generated at Thu Feb 08 03:28:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.