Add user in mongodb on debian without storing password in clear text

2
votes

I have a mongodb server installed on my debian linux machine. Now to secure it before allowing remote login I'm trying to add an admin user, with the command:

db.addUser( { user: "admin",pwd: "MY_PASSWORD",roles: [ "userAdminAnyDatabase" ] } )

I must be doing something terribly wrong since my password ends up unencrypted in the database along with a md5 hashed version of it. I tried hashing it manually using md5 before running the command but still no luck...

This is what I get in the DB:

{ "_id" : ObjectId("5260fc9f51f87eba8d937701"), "user" : { "user" : "admin", "pwd" : "MY_PASSOWRD", "roles" : [ "userAdminAnyDatabase" ] }, "readOnly" : false, "pwd" : "HASHED_VERSION_OF_MY_PASSWORD" }

How do I add a user without ending up with cleartext passwords in the database?

1
mongodbdebian

1 Answers

0
votes

You are probably using an older version which expected different syntax. The addUser function in 2.2 expected a string as username, another string as password. It seems you added a user whose entire full username is '{ "user" : "admin", "pwd" : "MY_PASSOWRD", "roles" : [ "userAdminAnyDatabase" ] }' - probably the shell should give an error, but it does not.

Try instead the expected 2.2 syntax:

> db.addUser( "admin",  "MY_PASSWORD")

You can confirm the server version by running:

> db.version()