FirebirdSQL / firebird

Firebird server, client and tools
https://firebirdsql.org
1.26k stars 217 forks source link

Authentication should continue with next plugin after plugin failure [CORE5485] #5755

Open firebird-automations opened 7 years ago

firebird-automations commented 7 years ago

Submitted by: @mrotteveel

All failures of an authentication plugin should let Firebird move to the next authentication plugin if available. Currently only absence of a user for the plugin, or 'normal' login failures (see CORE5225) continue with the next plugin. However, when the security database is not initialised for a specific plugin, this plugin failure will end the authentication, and not continue with authentication for the next plugin.

Specifically assume a security database that is currently only initialised for Legacy_Auth (eg the default one in the Windows zipkit), if Jaybird 3 tries to connect (which first tries Srp, and then Legacy_Auth), the authentication fails with

Exception in thread "main" java.sql.SQLException: Your user name and password are not defined. Ask your database administrator to set up a Firebird login.; Install incomplete, please read the Compatibility chapter in the release notes for this version [SQLState:28000, ISC error code:335544472]

The message code of the second part is: 335545029.

This is in response to the initial op_connect. Instead the protocol should have continued with the next plugin.

The workaround in this specific case is to initialise the security database for SRP, eg by executing CREATE USER jaybird PASSWORD 'jdbc' USING PLUGIN Srp

Note that connecting with Jaybird 2.2 (which only uses legacy auth), or an Firebird 2.5 or earlier fbclient.dll will just work.

firebird-automations commented 7 years ago

Commented by: @AlexPeshkoff

Mark, I disagree with your suggestion. When client is configured to use plugin A but @ server side plugin A is misconfigured somehow making use of it impossible that's not default state, that's severe configuration error (remember - Windows zipkit is recommended for manual/custom installs, not for first time users). Moreover, you get an error message describing how to fix this condition.

And initializing SRP in security database is not workaround here, it's required fix.

What makes me surprised is that use of old client works - it should not work with default configuration when server requires wire encryption. Please confirm - did you change firebird.conf after installing zip kit?

firebird-automations commented 7 years ago

Commented by: @mrotteveel

Alex, I never said I used the zipkit without modification, I just said I used the default security3.fdb from the zipkit (which has a legacy sysdba, but is not initialised for SRP). Specifically, I used: AuthServer = Srp, Legacy_Auth WireCrypt = Enabled

If a Firebird 2.5 fbclient.dll can connect (or Jaybird 2.2 which only speaks v10 protocol), then so should a newer client be able to connect even if it supports both Srp and Legacy_Auth. In other words: the misconfiguration of an authentication plugin should only be logged, not kill the connect attempt, unless of course Srp is the only authentication plugin in common between client and server.

firebird-automations commented 7 years ago

Commented by: @AlexPeshkoff

No, in such case it should better be aborted. If server admin is leaving 'Srp' in AuthServer but does not initialize security database it's his bug which should be fixed.

firebird-automations commented 5 years ago

Commented by: @mrotteveel

Interestingly enough, it seems that with a Firebird 4 beta 1, the client continues with authentication.