[SERVER-62476] Improve error message for unsupported SCRAM mechanism when authenticating with local.__system user Created: 10/Jan/22  Updated: 27/Mar/23  Resolved: 27/Mar/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Adam Rayner Assignee: Brad Moore
Resolution: Cannot Reproduce Votes: 0
Labels: neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Sprint: Security 2023-04-03
Participants:

 Description   

SERVER-46399 removed SCRAM-SHA-1 as an implicit auth mechanism for intra-cluster authentication - when an attempt is now made to authenticate using SCRAM-SHA-1 with the local.__system user, the following misleading error is reported:

 “AuthenticationFailed: It is not possible to authenticate as the __system user on servers started without a --keyFile parameter”

 

 

We should improve the error message to be less confusing by failing the request earlier, e.g. in this block:

https://github.com/mongodb/mongo/blob/d5f5bf69042dbef818e2d0adf84799a6a6d33aa9/src/mongo/db/auth/sasl_scram_server_conversation.cpp#L183

 



 Comments   
Comment by Brad Moore [ 27/Mar/23 ]

currently, starting a server without SCRAM-SHA-1 as an accepted authentication mechanism produces the correct error message if a connection attempt is made using SCRAM-SHA-1:

./build/install/bin/mongod --keyFile jstests/libs/key1 --setParameter authenticationMechanisms=SCRAM-SHA-256

client:

Enterprise test> use local
switched to db local
Enterprise local> db.auth({user: "__system", pwd: "foopdedoop", mechanism: "SCRAM-SHA-1"})
MongoServerError: Received authentication for mechanism SCRAM-SHA-1 which is not enabled

server log:

{"t":{"$date":"2023-03-27T10:20:02.968-04:00"}, ... ,"error":"MechanismUnavailable: Received authentication for mechanism SCRAM-SHA-1 which is not enabled","result":334, ...}

Generated at Thu Feb 08 05:55:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.