Can mongosh stop prompting password when authMechanism=MONGODB-X509 is passed?

Hi, is there any way to avoid getting a password prompt via the mongosh when authMechanism=MONGODB-X509 is passed?

$ ./mongosh --tls --tlsAllowInvalidCertificates --tlsAllowInvalidHostnames --tlsCertificateKeyFile=/home/test/root.pem --authenticationMechanism=MONGODB-X509 --authenticationDatabase='$external' --username='CN=root,OU=user,O=TestCompany,L=New York,ST=New York,C=US' localhost:27017/admin
Enter password:    # <- would like to get rid of this prompt
Current Mongosh Log ID: xxxxxxxxxxxxxxxxxxxxxxxx

Hi @shun and welcome to the MongoDB community!!

I tried to reproduce the issue in my local environment using the documentations available for a test environment, however I was not successful in reproducing the password prompt that you are seeing. That is, using authMechanism=MONGODB-X509 does not produce a password prompt for me. I am using MongoDB 6.0.1.
Could you help me with the steps or the documentations you are following and observing the same.

Also, it would be great if you could help with the following details:

  1. MongoDB and mongosh version you are using.
  2. command to create user.

Please refer to the following documentations for reference:

  1. Configure mongod and mongos for TLS/SSL
  2. Upgrade a Cluster to Use TLS/SSL
  3. TLS/SSL Configuration for Clients

Also, to create some test certificates, please check below links:

Also note that these are only for test environments and not recommended for production.

Let us know if you have further queries.

Best Regards
Aasawari

2 Likes

Hi @Aasawari

Thank you for your information.

  1. Here is the version of mongod and mongosh I’m using.

Using MongoDB: 6.0.1
Using Mongosh: 1.5.4

  1. I’m using python module pymongo to create the user against $external db.
test_dev_rs0 [direct: primary] $external> db.getUsers()
{
  users: [
    {
      _id: '$external.CN=root,OU=user,O=TestCompany,L=New York,ST=New York,C=US',
      user: 'CN=root,OU=user,O=TestCompany,L=New York,ST=New York,C=US',
      db: '$external',
      roles: [ { role: 'root', db: 'admin' } ],
      mechanisms: [ 'external' ]
    }
  ],
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1664431086, i: 1 }),
    signature: {
      hash: Binary(Buffer.from("ae15871b21094ce7cc8883ea2a85eef07f02cce9", "hex"), 0),
      keyId: Long("7120435454641438721")
    }
  },
  operationTime: Timestamp({ t: 1664431086, i: 1 })
}

Then, I think I found the root cause. I was passing both --authenticationMechanism=MONGODB-X509 and --username='CN=root,OU=user,O=TestCompany,L=New York,ST=New York,C=US' then --username part expected to come with password as well. After removing the --username part, I’m no longer seeing the password prompt!

Maybe would it be helpful if mongosh errors out if it gets both --authenticationMechanism and --username?

Thanks,
Shun