Reputation: 305
Redis password error from one server but not from another
I'm trying to connect to a redis server from two different servers, call them server1 and server2
From server1 I cannot login, using the right or the wrong password I always get:
user@server1:~$ redis-cli -h my-redis-server.com
my-redis-server.com:6379> auth rightpassword
(error) WRONGPASS invalid username-password pair
From server2 I can login
user@server2:~$ redis-cli -h my-redis-server.com
my-redis-server.com:6379> auth rightpassword
OK
But the funny thing is the error when trying to login from server2 with the wrong password is different
user@server2:~$ redis-cli -h my-redis-server.com
my-redis-server.com:6379> auth wrongpassword
(error) ERR invalid password
Using the monitor command on the redis server the login attempts from server1 are not printed while the login attempts (successful or not) from server2 are printed.
It seems the firewall is not blocking connections from server1 and also the redis server is configured to accept connections from server1 "bind 0.0.0.0". I mean, it actually looks like connections are accepted from server1 but somehow redis is refusing to run commands from server1 :-/ From what I've seen, redis doesn't have a way of blocking access per IP other than the "bind" config, and even that should return a connection refused rather than a wrong password error. I also think if the firewall was blocking, I should get a connection refused.
Geez, I must be missing something. Does anybody has a clue about what could be going on here?
PS: wonder why even redis has two different wrong password errors :-|
Upvotes: 4
Views: 30426
Answers (2)
Reputation: 2273
Very trivial and stupid case, but for me I was in the wrong environment (prod instead of dev)
Upvotes: 1
Reputation: 368
With Redis version 6+, they have added the ability of Access Control Lists (ACLs) for allowing users access to specific commands (read, write, key-constrained, etc.) based on the permissions of the user.
This may be why this error is being displayed:
(error) WRONGPASS invalid username-password pair
The AUTH command is slightly different for Redis version 6+:
AUTH command documentation: https://redis.io/commands/auth/
AUTH [username] password
ACL Documentation: https://redis.io/docs/manual/security/acl/
If both of the Redis server versions are the same (i.e. 6+) then I would guess that server #2 has the default user enabled, which is why the AUTH command works. The concept of the default user is Redis' way of maintaining backwards compatibility with versions previous to 6. The current way that server #2 is operating is the default configuration for Redis. From what you mentioned in your original post, it seems like server #1 has the default user disabled and instead another user was created, possibly with different permissions.
For server #1, you may be able to run:
whoami
This should return the username that could be used for this command:
AUTH [username] password
It may also be helpful to run:
ACL LIST
to view the current users and their permissions
Upvotes: 2
Related Questions
- Redis-cli with password
- ERR Client sent AUTH, but no password is set
- Cannot create redis client (authentication against Cluster)
- Redis: ERR wrong number of arguments for 'auth' command
- Redis remote connection refuse
- Redis::CommandError: ERR Client sent AUTH, but no password is set
- Why it doesn't work after I set requirepass password in redis?
- Same Redis password that works with Redis client fails with Node.JS createClient() method?
- Can't connect to a remote server even though the config seems correct
- Redis server enforcing AUTH, but was not configured to requirepass