Commented by: @AlexPeshkoff

This is as designed - in order to avoid potential problems with security actual reasons of inability to validate login/password are not broadcasted all over the world.
Instead they are written to server's firebird.log file, where any reasonable sysadmin can easily find them. For your particular sample I get:
localhost Mon Oct 19 13:11:12 2015
Database: /usr/home/firebird/Trunks/trunk/gen/Release/firebird/security3.fdb
file /usr/home/firebird/trunk/gen/Release/firebird/security3.fdb is not a valid database

PS. Debugging version does return that class of messages to the client.

Commented by: @aafemt

On Windows with release build of current trunk run as an application I got nothing in firebird.log.

Edit: Legacy_UserManager indeed writes error into log. Srp as in default config - doesn't.

Commented by: Sean Leyne (seanleyne)

Alexander,

While I fully support the need to not broadcast security issues, the current error message is very misleading.

It would be better for another message to be returned ("Error occurred during login, please check server firebird.log for detail) which would clearly outline that the error is "system" related rather than simple user credentials. This would align with how other systems/OS deal with login errors (Windows reports "unable to connect to domain server" vs. "user credentials are invalid").

Commented by: @pavel-zotov

> Instead they are written to server's firebird.log <...>
> file /usr/home/firebird/trunk/gen/Release/firebird/security3.fdb is not a valid database

Can NOT reproduce this on WI-V3.0.4.32963, tried SS & CS, for both UserManager = Legacy_UserManager and Srp.

Scenario:

* Use following parameters in the firebird.conf:
AuthServer = Legacy_Auth,Srp,Win_Sspi
UserManager = Legacy_UserManager,Srp
AuthClient = Legacy_Auth,Srp
WireCrypt = Disabled

* Restart FB service

* create database using default security.db, let its name will be: C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
SQL> create database 'localhost:C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb' user sysdba password 'masterkey';
SQL> show database;
Database: localhost:C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
Owner: SYSDBA
PAGE_SIZE 8192
Number of DB pages allocated = 180
. . .
Database not encrypted
Default Character set: NONE
SQL> quit;

* open %FIREBIRD_HOME%\databases.conf and change there "SecurityDatabase" attribute for just created DB.
Add following lines:

noacc = C:\MIX\firebird\QA\fbt-repo\tmp\noacc.fdb
{
SecurityDatabase = $(dir_secDb)/broken_sec.dat
}

* stop FB service, run: copy C:\MIX\firebird\fb30\security3.fdb C:\MIX\firebird\fb30\broken_sec.dat

* start FB service, make attachment to 'localhost:noacc' as SYSDBA and add two users with diff. plugins:
SQL> create or alter user foo_leg password '123' using plugin Legacy_UserManager;
SQL> create or alter user foo_srp password '123' using plugin Srp;
SQL> commit;
SQL> set list on;
SQL> select sec$user_name, sec$plugin from sec$users where sec$user_name starting with 'FOO';

SEC$USER\_NAME                   FOO\_LEG
SEC$PLUGIN                      Legacy\_UserManager

SEC$USER\_NAME                   FOO\_SRP
SEC$PLUGIN                      Srp

SQL\> quit;'

* check that we can make attachments using these users:

C:\\MIX\\firebird\\fb30\>C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_leg \-pas 123 \-q
Database: localhost:noacc, User: FOO\_LEG
SQL\> quit;

C:\\MIX\\firebird\\fb30\>C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_srp \-pas 123 \-q
Database: localhost:noacc, User: FOO\_SRP
SQL\> quit;

* stop FB service, make copy of broken_sec.dat:
copy C:\MIX\firebird\fb30\broken_sec.dat C:\MIX\firebird\fb30\broken_sec.bak

* replace content of broken_sec.dat with garbage, e.g. with plain text:

C:\\MIX\\firebird\\fb30\\fbsvcmgr \-? 1\>C:\\MIX\\firebird\\fb30\\broken\_sec\.dat 2\>&1

* start FB service

* try to connect using each of foo_leg & foo_srp. Result will be EXPECTED:

C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_leg \-pas 123 \-q
Statement failed, SQLSTATE = 28000
Your user name and password are not defined\. Ask your database administrator to set up a Firebird login\.
SQL\> quit;

C:\\MIX\\firebird\\fb30\>C:\\MIX\\firebird\\fb30\\isql localhost:noacc \-user foo\_srp \-pas 123 \-q
Statement failed, SQLSTATE = 28000
Your user name and password are not defined\. Ask your database administrator to set up a Firebird login\.
SQL\> quit;

* open firtebird.log. IT WILL BE EMPTY.
Why ?

Commented by: @AlexPeshkoff

Pavel, please remove Legacy_Auth from your configuration (at all) and try again. Or at least place it after Srp.

Commented by: @pavel-zotov

Alex, it did not help.
This is current config:

AuthServer = Srp
UserManager = Srp
AuthClient = Srp
WireCrypt = Disabled

===

Result is the same: firebird.log remains EMPTY.
May be it is OS or bitness (Windows XP, 32 bit) that such affects ?

Commented by: @AlexPeshkoff

Right now rechecked:
1. linux + legacy auth - recorded in firebird.log
2. windows using default config (ie SRP) - recorded in firebird.log

Commented by: @pavel-zotov

I've found the reason: value of parameter WireCrypt.
When it is Disabled that no record will be added into firebird.log, and client will get error:

C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird logi

Otherwise record *will* be added and error looks like this:

C:\MIX\firebird\fb30>C:\MIX\firebird\fb30\isql localhost:noacc -user foo_srp -pas 123 -q
Statement failed, SQLSTATE = 08006
Error occurred during login, please check server firebird.log for details