auth enabled, still allows remote anonymous connections with limited access

[rvan]

I have a mongodb server running with auth=true set in mongodb.conf. I've followed the manual and created an admin user and authentication works for the most part except for the following: remote connections to the host where a username is not specified still allow me to get access to a shell, be it with limited activity - most (but not all!) commands return "not authorized for query". My question is, why is this connection even permitted? 

$ mongo <host>

MongoDB shell version: 2.4.9
connecting to: <host>/test

> db.system.users.find()
error: { "$err" : "not authorized for query on test.system.users", "code" : 16550 }

Any attempts specifying a username and no password get rejected outright:

$ mongo <host> -u username
MongoDB shell version: 2.4.9
connecting to: <host>/test
Wed Mar 12 14:02:00.125 Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.js:228
exception: login failed

So why are remote connections without a username specified allowed (opening up a whole slew of security concerns) where remote connections with a username are outright rejected? Is this by design? Is this a bug? Is my server configured incorrectly?

[Rod Adams]

Hello rvan --

All connections to Mongo start off unauthenticated. The connection becomes authenticated after a successful call to the authenticate command, or one of its many helper functions, such as db.auth() in the shell. 

When you use the --username and --password options to the mongo shell, it first creates the connection, and then attempts to authenticate that connection for you, prior to performing other commands, such as an --eval or presenting the interactive shell. Any errors in authentication cause mongo to close the connection without attempting further action.

Thus, I'd have to answer your questions as "working as designed", and that as far as I can tell from the very limited information you've provided, I see nothing wrong with your configuration.

Hope this helps!

-- Rod

PS -- if you ever see signs of one of the security concerns you mention, please contact us immediately.