-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
None
-
Affects Version/s: 2.7.2, 2.7.3, 2.7.4
-
Component/s: Security
-
None
-
ALL
The basic SCRAM-SHA-1 support added in 2.7.2 seems to be broken. A SASL conversation can be completed following RFC 5802 (the v field value returned from the server matches the server signature calculated on the client), but the server returns
{done: false}and any subsequent operations fail authorization.
Example user:
> db.system.users.findOne() { "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "3L2ChDOtpFE3t7dbOwAPdQ==", "storedKey" : "wnUNZ+Wl/B+k1+RBNfb4hihgapo=", "serverKey" : "3Q5qYn40wXktIB2M3SkK+czdXNg=" }, "MONGODB-CR" : "e4e538f5dcb52537cad02bbf8491693c" }, "roles" : [ { "role" : "root", "db" : "admin" } ] } >
Example authentication attempt with debug output:
>>> c.admin.authenticate('admin', 'pass', mechanism='SCRAM-SHA-1') C: SON([('saslStart', 1), ('mechanism', 'SCRAM-SHA-1'), ('payload', Binary(b'n,,n=admin,r=NzcyOTU5MDIwNDAyNTc3NA==', 0)), ('autoAuthorize', 1)]) S: {'done': False, 'payload': b'r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,s=3L2ChDOtpFE3t7dbOwAPdQ==,i=10000', 'conversationId': 1, 'ok': 1.0} server provided salt: b'3L2ChDOtpFE3t7dbOwAPdQ==' client generated storedKey: b'wnUNZ+Wl/B+k1+RBNfb4hihgapo=' client generated serverKey: b'3Q5qYn40wXktIB2M3SkK+czdXNg=' client generated v: b'ss94QBaOXP1cQGYhgjuyDDMipO8=' C: SON([('saslContinue', 1), ('conversationId', 1), ('payload', Binary(b'c=biws,r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,p=yyZMbWaB2Yo7HBqFlr+9I6N+ho0=', 0))]) S: {'done': False, 'payload': b'v=ss94QBaOXP1cQGYhgjuyDDMipO8=', 'conversationId': 1, 'ok': 1.0}
Server binaries were built with the enterprise modules. Mongod started like so:
mongod --dbpath ~/data/db --auth --setParameter authenticationMechanisms=SCRAM-SHA-1,MONGODB-CR
- is depended on by
-
SERVER-7596 Support SCRAM-SHA-1 SASL Mechanism
- Closed
-
DRIVERS-166 Implement the SCRAM-SHA-1 SASL Mechanism
- Closed