Issue Details (XML | Word | Printable)

Key: CORE-6011
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: Paul Reeves
Reporter: Mark Rotteveel
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Enabling legacy authentication in Windows installer leads to less secure config than possible

Created: 23/Feb/19 08:14 AM   Updated: 06/Mar/19 06:08 AM
Component/s: Build Issues / Porting, Installation, Security
Affects Version/s: 4.0 Beta 1
Fix Version/s: None

QA Status: Cannot be tested


 Description  « Hide
When you enable legacy authentication in the Windows installer, it will configure firebird.conf with

AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi

This is insecure for two reasons:

1. It is missing the new Srp256 plugin which is the default
2. The order for authentication plugins should be from most secure to least secure to avoid leaking information about credentials of Srp users (eg if Srp256 or Srp succeeds, there is no need to send the password using the less secure UnixCrypt hash in Legacy_Auth).

In other words, enabling legacy authentication should produce

AuthServer = Srp256, Win_Sspi, Legacy_Auth

(or maybe AuthServer = Srp256, Srp, Win_Sspi, Legacy_Auth)

The default for AuthClient (AuthClient = Srp256, Srp, Win_Sspi, Legacy_Auth) is already sufficient and secure enough, so there is no need to write an explicit config.

Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Paul Reeves added a comment - 23/Feb/19 04:41 PM
I'm wondering if we should even support legacy_auth as an option in the installer in FB4.0.

The original purpose of that feature was to help users migrate from 2.5 to 3.0.



Alexander Peshkov added a comment - 25/Feb/19 11:52 AM
I suggest not to support legacy authentication in the installer in FB4.0. I'm even unsure should we ask about use of Srp instead Srp256 - starting with 3.0.4 Srp256 is supported, and I do not expect massive arrays of old clients.