Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14830

SCRAM-SHA-1 conversations fail to complete

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.7.2, 2.7.3, 2.7.4
    • Component/s: Security
    • None
    • ALL

      The basic SCRAM-SHA-1 support added in 2.7.2 seems to be broken. A SASL conversation can be completed following RFC 5802 (the v field value returned from the server matches the server signature calculated on the client), but the server returns

      {done: false}

      and any subsequent operations fail authorization.

      Example user:

      > db.system.users.findOne()
      {
      	"_id" : "admin.admin",
      	"user" : "admin",
      	"db" : "admin",
      	"credentials" : {
      		"SCRAM-SHA-1" : {
      			"iterationCount" : 10000,
      			"salt" : "3L2ChDOtpFE3t7dbOwAPdQ==",
      			"storedKey" : "wnUNZ+Wl/B+k1+RBNfb4hihgapo=",
      			"serverKey" : "3Q5qYn40wXktIB2M3SkK+czdXNg="
      		},
      		"MONGODB-CR" : "e4e538f5dcb52537cad02bbf8491693c"
      	},
      	"roles" : [
      		{
      			"role" : "root",
      			"db" : "admin"
      		}
      	]
      }
      > 
      

      Example authentication attempt with debug output:

      >>> c.admin.authenticate('admin', 'pass', mechanism='SCRAM-SHA-1')
      
      C: SON([('saslStart', 1), ('mechanism', 'SCRAM-SHA-1'), ('payload', Binary(b'n,,n=admin,r=NzcyOTU5MDIwNDAyNTc3NA==', 0)), ('autoAuthorize', 1)])
      S: {'done': False, 'payload': b'r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,s=3L2ChDOtpFE3t7dbOwAPdQ==,i=10000', 'conversationId': 1, 'ok': 1.0}
      
      server provided salt: b'3L2ChDOtpFE3t7dbOwAPdQ=='
      client generated storedKey: b'wnUNZ+Wl/B+k1+RBNfb4hihgapo='
      client generated serverKey: b'3Q5qYn40wXktIB2M3SkK+czdXNg='
      client generated v: b'ss94QBaOXP1cQGYhgjuyDDMipO8='
      
      C: SON([('saslContinue', 1), ('conversationId', 1), ('payload', Binary(b'c=biws,r=NzcyOTU5MDIwNDAyNTc3NA==YIFOULW05uMS80e5sLcUAbWVhJZtAZ5E,p=yyZMbWaB2Yo7HBqFlr+9I6N+ho0=', 0))])
      S: {'done': False, 'payload': b'v=ss94QBaOXP1cQGYhgjuyDDMipO8=', 'conversationId': 1, 'ok': 1.0}
      

      Server binaries were built with the enterprise modules. Mongod started like so:

      mongod --dbpath ~/data/db --auth --setParameter authenticationMechanisms=SCRAM-SHA-1,MONGODB-CR
      

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: