[SERVER-51457] Improve log line for failed speculative auth attempts Created: 09/Oct/20 Updated: 29/Oct/23 Resolved: 10/Dec/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0, 4.4.6 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Divjot Arora (Inactive) | Assignee: | Varun Ravichandran |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Backport Requested: |
v4.4
|
||||||||||||||||||||
| Sprint: | Security 2020-11-30, Security 2020-12-14 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||
| Description |
|
If a user is created with auth mechanism SCRAM-SHA-1 and the URI provided to the driver does not have an authMechanism parameter, the driver will attempt to do speculative authentication using the SCRAM-SHA-256 mechanism per the MongoDB Handshake specification. On a 4.4+ server, this generates a log line like
According to sara.golemon, logging this is important because otherwise, an attacker could try to brute force password guesses in isMaster attempts and the server wouldn't log anything. However, this is a confusing line to see in access logs because it makes it seem like something went wrong when everything is actually behaving as expected. Would it be possible to clarify that this is due to a failed speculative authentication attempt in the log? |
| Comments |
| Comment by Githook User [ 09/Apr/21 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: (cherry picked from commit 33afc4e43719177adac01b9f9978dd3477b37649) |
| Comment by Githook User [ 09/Apr/21 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: (cherry picked from commit 4f3cc5dad8cb4acc88c6644912e3ccc0f5cb1153) |
| Comment by Githook User [ 09/Dec/20 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |
| Comment by Githook User [ 09/Dec/20 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |
| Comment by Spencer Brown [ 11/Nov/20 ] |
|
to make it even clearer: if (session->isSpeculative()) then my C++ is extremely rusty but you get the idea |