Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14830

SCRAM-SHA-1 conversations fail to complete

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.7.2, 2.7.3, 2.7.4
    • Component/s: Security
    • None
    • ALL

      The basic SCRAM-SHA-1 support added in 2.7.2 seems to be broken. A SASL conversation can be completed following RFC 5802 (the v field value returned from the server matches the server signature calculated on the client), but the server returns

      {done: false}

      and any subsequent operations fail authorization.

      Example user:

      > db.system.users.findOne()
{
	"_id" : "admin.admin",
	"user" : "admin",
	"db" : "admin",
	"credentials" : {
		"SCRAM-SHA-1" : {
			"iterationCount" : 10000,
			"salt" : "3L2ChDOtpFE3t7dbOwAPdQ==",
			"storedKey" : "wnUNZ+Wl/B+k1+RBNfb4hihgapo=",
			"serverKey" : "3Q5qYn40wXktIB2M3SkK+czdXNg="
		},
		"MONGODB-CR" : "e4e538f5dcb52537cad02bbf8491693c"
	},
	"roles" : [
		{
			"role" : "root",
			"db" : "admin"
		}
	]
}
>

      Example authentication attempt with debug output:

      >>> c.admin.authenticate('admin', 'pass', mechanism='SCRAM-SHA-1')

C: SON([('saslStart', 1), ('mechanism', 'SCRAM-SHA-1'), ('payload', Binary(b'n,,n=admin,r=NzcyOTU5MDIwNDAyNTc3NA==', 0)), ('autoAuthorize', 1)])
S: {'done': False, 'payload': b'r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,s=3L2ChDOtpFE3t7dbOwAPdQ==,i=10000', 'conversationId': 1, 'ok': 1.0}

server provided salt: b'3L2ChDOtpFE3t7dbOwAPdQ=='
client generated storedKey: b'wnUNZ+Wl/B+k1+RBNfb4hihgapo='
client generated serverKey: b'3Q5qYn40wXktIB2M3SkK+czdXNg='
client generated v: b'ss94QBaOXP1cQGYhgjuyDDMipO8='

C: SON([('saslContinue', 1), ('conversationId', 1), ('payload', Binary(b'c=biws,r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,p=yyZMbWaB2Yo7HBqFlr+9I6N+ho0=', 0))])
S: {'done': False, 'payload': b'v=ss94QBaOXP1cQGYhgjuyDDMipO8=', 'conversationId': 1, 'ok': 1.0}

      Server binaries were built with the enterprise modules. Mongod started like so:

      mongod --dbpath ~/data/db --auth --setParameter authenticationMechanisms=SCRAM-SHA-1,MONGODB-CR

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: