Reputation: 3591
MongoDB disable access for just connecting through shell
I've been searching the documentation for MongoDB and also Stackoverflow for a while and haven't found any good way to fix this issue.
I have created an admin user and and some other users for my MongoDB server in EC2, however, when I'm connecting I can always connect with no username or password (yes I have auth=true in the config file).
As I understand it MongoDB's default behavior is to allow connections and then using db.auth() or something but can I disable the default behavior so you have to authenticate when you do mongo --host=xx.xx.xx.xx...?
Thanks,
Johan
Upvotes: 1
Views: 1463
Answers (1)
Reputation: 21682
How do you expect the database to be able to authenticate people if you do not allow them to connect? This has to be possible for authentication to be done. When you connect with a shell, all that you have done is connect to the database via TCP successfully with the shell program, that's it, there is no command run, no special permission needed to do so and you could do the same thing using telnet to connect to your database (though you would need to be able to type the wire protocol to do anything).
The scary part is just because it looks like you have access because you have a MongoDB shell prompt rather than a login prompt or similar. In reality it is no different than using ssh to connect to a remote server and have it present you with a login: prompt - you are connected, yes, but you have to authenticate to actually do anything.
If you wish to have people automatically log in, or be presented with a prompt (like ssh above), then you can look into either wrapping or customizing the shell (tough to support) or you can see about deploying a mongorc file for each user that kicks off authentication - this will be optional of course, no way to make it mandatory. They would still be able to download the mongo shell separately (or modify the rc file) and then simply use that as before.
As a final (and more secure option than challenge/response), you can look into requiring SSL to connect whereby you reject anyone presenting an invalid certificate. However, for end users, certificate management can be extremely tough to support (not to mention annoying to set up).
Upvotes: 1
Related Questions
- How to protect my mongodb database to be accessed without password?
- How to disable remote connections to MongoDB?
- MongoDB server can still be accessed without credentials
- Sign in with Mongo shell without having password shown?
- disable anonymous access to MongoDB
- Mongodb: Is it possible to turn off authentication for connections from localhost only?
- Log in to mongo shell without declaring authentication DB
- How to refuse unauthenticated connections to mongodb
- configure mongodb only accept remote connection comes from LAN
- preventing mongodb from accepting non-local connections