firebird-automations
commented
5 years ago Open firebird-automations opened 5 years ago
firebird-automations
commented
5 years ago firebird-automations
commented
5 years ago firebird-automations
commented
5 years ago Commented by: @reevespaul
I'm wondering if we should even support legacy_auth as an option in the installer in FB4.0.
The original purpose of that feature was to help users migrate from 2.5 to 3.0.
firebird-automations
commented
5 years ago Commented by: @AlexPeshkoff
I suggest not to support legacy authentication in the installer in FB4.0. I'm even unsure should we ask about use of Srp instead Srp256 - starting with 3.0.4 Srp256 is supported, and I do not expect massive arrays of old clients.
firebird-automations
commented
5 years ago
Submitted by: @mrotteveel
When you enable legacy authentication in the Windows installer, it will configure firebird.conf with
AuthServer = Legacy_Auth, Srp, Win_Sspi AuthClient = Legacy_Auth, Srp, Win_Sspi
This is insecure for two reasons:
1. It is missing the new Srp256 plugin which is the default 2. The order for authentication plugins should be from most secure to least secure to avoid leaking information about credentials of Srp users (eg if Srp256 or Srp succeeds, there is no need to send the password using the less secure UnixCrypt hash in Legacy_Auth).
In other words, enabling legacy authentication should produce
AuthServer = Srp256, Win_Sspi, Legacy_Auth
(or maybe AuthServer = Srp256, Srp, Win_Sspi, Legacy_Auth)
The default for AuthClient (AuthClient = Srp256, Srp, Win_Sspi, Legacy_Auth) is already sufficient and secure enough, so there is no need to write an explicit config.
Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option.
Commits: FirebirdSQL/firebird@2af22cbb7b24cb0ae1257b88055abafc63d8cb75