[SERVER-20365] "authentication failed, storedKey mismatch" on synthetic users and databases with '@' Created: 10/Sep/15  Updated: 27/Mar/18  Resolved: 13/Jun/16

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.1.7
Fix Version/s: 3.3.9

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-23983 PLAIN authentication is truncating th... Closed
is related to SERVER-20362 JS Scopes may leak between synthetic ... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

In one window:

> use y@z
switched to db y@z
> db.createUser({user: "x", pwd: "pwd", roles: []})
Successfully added user: { "user" : "x", "roles" : [ ] }
> db.auth("x", "pwd")
1

In another:

> use z
switched to db z
> db.createUser({user: "x@y", pwd: "pwd", roles: []})
Successfully added user: { "user" : "x@y", "roles" : [ ] }
> db.auth("x@y", "pwd")
1

Return to the first window:

> db.auth("x", "pwd")
Error: Authentication failed.
0

Mongod will report:

2015-09-10T18:47:18.852-0400 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:51466 #1 (1 connection now open)
2015-09-10T18:47:42.931-0400 I COMMAND  [conn1] command y@z.$cmd command: createUser { createUser: "x", pwd: "xxx", roles: [], digestPassword: false, writeConcern: { w: "majority", wtimeout: 30000.0 } } ntoreturn:1 ntoskip:0 keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_command 164ms
2015-09-10T18:47:49.627-0400 I ACCESS   [conn1] Successfully authenticated as principal x on y@z
2015-09-10T18:47:57.537-0400 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:51468 #2 (2 connections now open)
2015-09-10T18:48:10.693-0400 I ACCESS   [conn2] Successfully authenticated as principal x@y on z
2015-09-10T18:48:18.226-0400 I ACCESS   [conn1] SCRAM-SHA-1 authentication failed for x on y@z from client 127.0.0.1 ; AuthenticationFailed SCRAM-SHA-1 authentication failed, storedKey mismatch

Sprint: Security 15 (06/03/16), Security 16 (06/24/16)
Participants:

 Description   

_emphasized text_It appears that comparison of UserName objects doesn't take into account the location of the splitpoint, between usernames and database names. This means when you have two users, one named 'x' on DB 'y@z' and one named 'x@y' on DB 'z', a conflict is possible which prevents one from logging in.



 Comments   
Comment by Githook User [ 13/Jun/16 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20365 Make UserName comparison consider split point
Branch: master
https://github.com/mongodb/mongo/commit/3b1f78184830f8f2102025f535e0b5266f3c0539

Generated at Thu Feb 08 03:54:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.