[SERVER-51457] Improve log line for failed speculative auth attempts Created: 09/Oct/20  Updated: 29/Oct/23  Resolved: 10/Dec/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0, 4.4.6

Type: Improvement Priority: Major - P3
Reporter: Divjot Arora (Inactive) Assignee: Varun Ravichandran
Resolution: Fixed Votes: 0
Labels: neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-14044 Investigate changes in SERVER-51457: ... Closed
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.4
Sprint: Security 2020-11-30, Security 2020-12-14
Participants:
Case:

 Description   

If a user is created with auth mechanism SCRAM-SHA-1 and the URI provided to the driver does not have an authMechanism parameter, the driver will attempt to do speculative authentication using the SCRAM-SHA-256 mechanism per the MongoDB Handshake specification. On a 4.4+ server, this generates a log line like

{"t":{"$date":"2020-10-06T13:09:11.911-04:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn14","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-256","principalName":"user","authenticationDatabase":"admin","client":"127.0.0.1:51939","result":"AuthenticationFailed: Unable to use SCRAM-SHA-256 based authentication for user without any SCRAM-SHA-256 credentials registered"}}

According to sara.golemon, logging this is important because otherwise, an attacker could try to brute force password guesses in isMaster attempts and the server wouldn't log anything. However, this is a confusing line to see in access logs because it makes it seem like something went wrong when everything is actually behaving as expected. Would it be possible to clarify that this is due to a failed speculative authentication attempt in the log?



 Comments   
Comment by Githook User [ 09/Apr/21 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-51457: Improve log line for failed speculative auth attempts

(cherry picked from commit 33afc4e43719177adac01b9f9978dd3477b37649)
Branch: v4.4
https://github.com/mongodb/mongo/commit/8f37e1305d45230ae04a683f7b9dff56bd2e98ed

Comment by Githook User [ 09/Apr/21 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-51457: Improve log line for failed speculative auth

(cherry picked from commit 4f3cc5dad8cb4acc88c6644912e3ccc0f5cb1153)
Branch: v4.4
https://github.com/10gen/mongo-enterprise-modules/commit/64a1003d13ab8a4ce0841d7b90506099c8d2e5d5

Comment by Githook User [ 09/Dec/20 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-51457: Improve log line for failed speculative auth attempts
Branch: master
https://github.com/mongodb/mongo/commit/33afc4e43719177adac01b9f9978dd3477b37649

Comment by Githook User [ 09/Dec/20 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-51457: Improve log line for failed speculative auth
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/4f3cc5dad8cb4acc88c6644912e3ccc0f5cb1153

Comment by Spencer Brown [ 11/Nov/20 ]

to make it even clearer:

if (session->isSpeculative()) then
result_string = "Speculative authentication failed";
else
result_string = "Authentication failed";

my C++ is extremely rusty but you get the idea

Generated at Thu Feb 08 05:25:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.