[SERVER-39404] SASL negotiation in shell 4.0.5 fails to authenticate SCRAM-SHA-256 user Created: 06/Feb/19  Updated: 05/Apr/19  Resolved: 05/Apr/19

Status: Closed
Project: Core Server
Component/s: Security, Shell
Affects Version/s: 3.6.10, 4.0.5
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Spencer Brown Assignee: Shreyas Kalyan
Resolution: Duplicate Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-39178 Negotiate SCRAM mechanism in MongoURI... Closed
Duplicate
is duplicated by SERVER-39178 Negotiate SCRAM mechanism in MongoURI... Closed
Operating System: ALL
Steps To Reproduce:

Start a standalone 4.0.5 server with a config similar to:

processManagement:
  fork: true
 
storage:
  dbPath: data/m
  journal:
    enabled: true
 
systemLog:
  destination: file
  logAppend: false
  path: data/m.log
 
security:
  authorization: enabled
 
setParameter:
  authenticationMechanisms: SCRAM-SHA-256

Connect locally with the mongo shell, and create the first user: admin pwd: tester
This user is created with SCRAM-SHA-256 credentials.

au = {
    user: 'admin',
    pwd: 'tester',
    roles: ['root']
};
 
adb = db.getSiblingDB('admin');
adb.createUser(au);

Exit, and run a mongo shell 4.0.5, note the authentication failure – this is the bug

Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin
MongoDB shell version v4.0.5
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb
2019-02-06T14:12:36.240-0600 E QUERY    [js] Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:328:13
@(connect):1:6
exception: connect failed

This message is logged in the server:

2019-02-06T14:12:36.239-0600 I ACCESS   [conn5] SASL SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:52258 ; BadValue: SCRAM-SHA-1 authentication is disabled

The workaround is to explicitly specify the authentication mechanism:

Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin --authenticationMechanism SCRAM-SHA-256
MongoDB shell version v4.0.5
connecting to: mongodb://127.0.0.1:27017/?authMechanism=SCRAM-SHA-256&authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("13346da3-f927-4c38-a93c-6f36a7e0aaa0") }
MongoDB server version: 4.0.5
Server has startup warnings:
(elided)
MongoDB Enterprise >

Now try the mongo shell version 4.0.4, note the authentication success:

Spencer-Brown:repros spencer$ /usr/local/bin/mongodb-4.0.4-ent/mongo --username admin --password tester --authenticationDatabase admin
MongoDB shell version v4.0.4
connecting to: mongodb://127.0.0.1:27017
Implicit session: session { "id" : UUID("dfe3d0d1-3192-4fe6-9186-5d4956552c4d") }
MongoDB server version: 4.0.5
Server has startup warnings:
(elided)
MongoDB Enterprise >

Sprint: Security 2019-02-25, Security 2019-03-11, Security 2019-03-25, Security 2019-04-08
Participants:
Case:

 Description   

When a user has SCRAM-SHA-256 credentials, the mongo shell negotiates the SASL authentication mechanism when no explicit authentication mechanism is given. See SERVER-32977.

With a mongod version 4.0.5 with only the SCRAM-SHA-256 authentication mechanism enabled, the mongo shell version 4.0.4 successfully authenticates but the mongo shell version 4.0.5 does not. This appears to be a regression in 4.0.5.

The workaround is to specify the authentication mechanism as SCRAM-SHA-256.



 Comments   
Comment by Shreyas Kalyan [ 05/Apr/19 ]

The original server ticket was backported in https://jira.mongodb.org/browse/BACKPORT-3956

Comment by Jonathan Reams [ 12/Feb/19 ]

This is caused by SERVER-35212 (both in master and 4.0). It changes how the initial shell connection is established so that authentication is attempted from the MongoURI::connect() which does not do SASL mechanism discovery. We are planning on adding that discovery in SERVER-39178 which should fix this.

Comment by Sara Golemon [ 11/Feb/19 ]

I think the easiest fix for this will not so much involve adding negotiation logic to MongoURI::connect() as making the shell's connect() function perform the negotiation before passing it off to `new Mongo()`. Take a look at what the auth() function does to perform negotiation via isMaster.

Comment by Danny Hatcher (Inactive) [ 06/Feb/19 ]

In addition, accessing the shell via mongo and then using the db.auth() command works correctly:

Hatcher:~ danielhatcher$ mongo -u test -p test --authenticationDatabase admin
MongoDB shell version v4.0.5
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb
2019-02-06T15:52:06.955-0500 E QUERY    [js] Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:328:13
@(connect):1:6
exception: connect failed
Hatcher:~ danielhatcher$ mongo
MongoDB shell version v4.0.5
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("642c28d6-1722-4c65-b21a-6064621e574c") }
MongoDB server version: 4.0.5
> use admin
switched to db admin
> db.auth("test", "test")
1

Generated at Thu Feb 08 04:51:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.