BugZero | MongoDB BugID 684995 - SASL negotiation in shell 4.0.5 fails to authentic...

MongoDB - Defect ID: 684995

SASL negotiation in shell 4.0.5 fails to authenticate SCRAM-SHA-256 user

MongoDB - Defect ID: 684995

SASL negotiation in shell 4.0.5 fails to authenticate SCRAM-SHA-256 user

Last updated on 4/5/2019

Overall: 66.0

Severity: 6.46.4

Community: 66.0

Lifecycle: 9.19.1

What is the BugZero Risk Score?

Vendor details

Priority: Major - P3
Status: Closed

Overall: 66.0

Severity: 6.46.4

Community: 66.0

Lifecycle: 9.19.1

What is the BugZero Risk Score?

Vendor details

Priority: Major - P3
Status: Closed

Info

When a user has SCRAM-SHA-256 credentials, the mongo shell negotiates the SASL authentication mechanism when no explicit authentication mechanism is given. See SERVER-32977. With a mongod version 4.0.5 with only the SCRAM-SHA-256 authentication mechanism enabled, the mongo shell version 4.0.4 successfully authenticates but the mongo shell version 4.0.5 does not. This appears to be a regression in 4.0.5. The workaround is to specify the authentication mechanism as SCRAM-SHA-256.

Top User Comments

shreyas.kalyan commented on Fri, 5 Apr 2019 15:38:29 +0000: The original server ticket was backported in https://jira.mongodb.org/browse/BACKPORT-3956 jonathan.reams@10gen.com commented on Tue, 12 Feb 2019 17:54:34 +0000: This is caused by SERVER-35212 (both in master and 4.0). It changes how the initial shell connection is established so that authentication is attempted from the MongoURI::connect() which does not do SASL mechanism discovery. We are planning on adding that discovery in SERVER-39178 which should fix this. sara.golemon commented on Mon, 11 Feb 2019 19:45:53 +0000: I think the easiest fix for this will not so much involve adding negotiation logic to MongoURI::connect() as making the shell's connect() function perform the negotiation before passing it off to `new Mongo()`. Take a look at what the auth() function does to perform negotiation via isMaster. daniel.hatcher commented on Wed, 6 Feb 2019 20:53:40 +0000: In addition, accessing the shell via mongo and then using the db.auth() command works correctly: Hatcher:~ danielhatcher$ mongo -u test -p test --authenticationDatabase admin MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb 2019-02-06T15:52:06.955-0500 E QUERY [js] Error: Authentication failed. : connect@src/mongo/shell/mongo.js:328:13 @(connect):1:6 exception: connect failed Hatcher:~ danielhatcher$ mongo MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb Implicit session: session { "id" : UUID("642c28d6-1722-4c65-b21a-6064621e574c") } MongoDB server version: 4.0.5 > use admin switched to db admin > db.auth("test", "test") 1

Steps to Reproduce

Start a standalone 4.0.5 server with a config similar to: processManagement: fork: true storage: dbPath: data/m journal: enabled: true systemLog: destination: file logAppend: false path: data/m.log security: authorization: enabled setParameter: authenticationMechanisms: SCRAM-SHA-256 Connect locally with the mongo shell, and create the first user: admin pwd: tester This user is created with SCRAM-SHA-256 credentials. au = { user: 'admin', pwd: 'tester', roles: ['root'] }; adb = db.getSiblingDB('admin'); adb.createUser(au); Exit, and run a mongo shell 4.0.5, note the authentication failure – this is the bug Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb 2019-02-06T14:12:36.240-0600 E QUERY [js] Error: Authentication failed. : connect@src/mongo/shell/mongo.js:328:13 @(connect):1:6 exception: connect failed This message is logged in the server: 2019-02-06T14:12:36.239-0600 I ACCESS [conn5] SASL SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:52258 ; BadValue: SCRAM-SHA-1 authentication is disabled The workaround is to explicitly specify the authentication mechanism: Spencer-Brown:repros spencer$ mongo --username admin --password tester --authenticationDatabase admin --authenticationMechanism SCRAM-SHA-256 MongoDB shell version v4.0.5 connecting to: mongodb://127.0.0.1:27017/?authMechanism=SCRAM-SHA-256&authSource=admin&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("13346da3-f927-4c38-a93c-6f36a7e0aaa0") } MongoDB server version: 4.0.5 Server has startup warnings: (elided) MongoDB Enterprise > Now try the mongo shell version 4.0.4, note the authentication success: Spencer-Brown:repros spencer$ /usr/local/bin/mongodb-4.0.4-ent/mongo --username admin --password tester --authenticationDatabase admin MongoDB shell version v4.0.4 connecting to: mongodb://127.0.0.1:27017 Implicit session: session { "id" : UUID("dfe3d0d1-3192-4fe6-9186-5d4956552c4d") } MongoDB server version: 4.0.5 Server has startup warnings: (elided) MongoDB Enterprise >

5.9Defect ID: 2956672
Some time-series tests implicitly rely on measurement insertion order for unordered inserts when checking bucket catalog stats
6.14Defect ID: 2965528
Remove push, publish_packages, and crypt_push tasks from Graviton 4 variants in v7.0 and v8.0
6.14Defect ID: 2947969
[SBE] Release storage engine resources when saveState() or restoreState() throws
5.68Defect ID: 2919474
StackLocator broken by v5 toolchain ASAN
5.88Defect ID: 2968769
Make new write path helper functions use acquireAndValidateBucketsCollection instead of acquireCollection

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

MongoDB - Defect ID: 684995

SASL negotiation in shell 4.0.5 fails to authenticate SCRAM-SHA-256 user

MongoDB - Defect ID: 684995

SASL negotiation in shell 4.0.5 fails to authenticate SCRAM-SHA-256 user

Last updated on 4/5/2019

Vendor details

Vendor details

Description

Info

Top User Comments

Steps to Reproduce

Links

Top MongoDB defects by risk score

Ready to prevent the next vendor outage?