Authentication end with first plugin that has the user but auth fails; should continue with next plugin [CORE5225] #5505
Comments
Modified by: @mrotteveeldescription: Currently when a user exists for multiple authentication plugins, authentication ends with the first plugin that has the user when authentication fails. Instead it should continue with the next plugin. A user is identified by username and password, if a one of the values is wrong then the user should be considered to not exist. Ending authentication early will leak existence of the user for that plugin, from a security standpoint such a leak of information is not acceptable. The behavior is also confusing, because some valid usernames + passwords will allow authentication (eg a user that only exists in Legacy_Auth, or only in Srp), while other valid usernames + password will unexpectedly be rejected. This will make it look like you are using the wrong username or password. When a user exists in Srp and Legacy_Auth and you use the Legacy_Auth, the password will be rejected by the Srp plugin ending authentication. This is especially relevant during transition from Firebird 2.5 compatible apps + drivers, but even if we live in a Firebird 3 only world, it would still be necessary (consider third party authentication plugins that support an alternative mode of authentication). => Currently when a user exists for multiple authentication plugins, authentication ends with the first plugin that has the user when authentication fails. Instead it should continue with the next plugin. A user is identified by username and password, if one of these values is wrong then the user should be considered to not exist. Ending authentication early will leak existence of the user for that plugin, from a security standpoint such a leak of information is not acceptable. The behavior is also confusing, because some valid usernames + passwords will allow authentication (eg a user that only exists in Legacy_Auth, or only in Srp), while other valid usernames + password will unexpectedly be rejected. This will make it look like you are using the wrong username or password. When a user exists in Srp and Legacy_Auth and you use the Legacy_Auth, the password will be rejected by the Srp plugin ending authentication. This is especially relevant during transition from Firebird 2.5 compatible apps + drivers, but even if we live in a Firebird 3 only world, it would still be necessary (consider third party authentication plugins that support an alternative mode of authentication). |
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 3.0.1 [ 10730 ] Fix Version: 4.0 Alpha 1 [ 10731 ] |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: No test => Done successfully |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Closed [ 6 ] |
Submitted by: @mrotteveel
Votes: 1
Currently when a user exists for multiple authentication plugins, authentication ends with the first plugin that has the user when authentication fails. Instead it should continue with the next plugin.
A user is identified by username and password, if one of these values is wrong then the user should be considered to not exist. Ending authentication early will leak existence of the user for that plugin, from a security standpoint such a leak of information is not acceptable.
The behavior is also confusing, because some valid usernames + passwords will allow authentication (eg a user that only exists in Legacy_Auth, or only in Srp), while other valid usernames + password will unexpectedly be rejected. This will make it look like you are using the wrong username or password. When a user exists in Srp and Legacy_Auth and you use the Legacy_Auth, the password will be rejected by the Srp plugin ending authentication.
This is especially relevant during transition from Firebird 2.5 compatible apps + drivers, but even if we live in a Firebird 3 only world, it would still be necessary (consider third party authentication plugins that support an alternative mode of authentication).
Commits: e560f6e a742e7d
The text was updated successfully, but these errors were encountered: