You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. It is missing the new Srp256 plugin which is the default
2. The order for authentication plugins should be from most secure to least secure to avoid leaking information about credentials of Srp users (eg if Srp256 or Srp succeeds, there is no need to send the password using the less secure UnixCrypt hash in Legacy_Auth).
In other words, enabling legacy authentication should produce
The default for AuthClient (AuthClient = Srp256, Srp, Win_Sspi, Legacy_Auth) is already sufficient and secure enough, so there is no need to write an explicit config.
Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option.
summary: Enabling legacy authentication in Windows installer leads to less secur config than possible => Enabling legacy authentication in Windows installer leads to less secure config than possible
I suggest not to support legacy authentication in the installer in FB4.0. I'm even unsure should we ask about use of Srp instead Srp256 - starting with 3.0.4 Srp256 is supported, and I do not expect massive arrays of old clients.
Submitted by: @mrotteveel
When you enable legacy authentication in the Windows installer, it will configure firebird.conf with
AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi
This is insecure for two reasons:
1. It is missing the new Srp256 plugin which is the default
2. The order for authentication plugins should be from most secure to least secure to avoid leaking information about credentials of Srp users (eg if Srp256 or Srp succeeds, there is no need to send the password using the less secure UnixCrypt hash in Legacy_Auth).
In other words, enabling legacy authentication should produce
AuthServer = Srp256, Win_Sspi, Legacy_Auth
(or maybe AuthServer = Srp256, Srp, Win_Sspi, Legacy_Auth)
The default for AuthClient (AuthClient = Srp256, Srp, Win_Sspi, Legacy_Auth) is already sufficient and secure enough, so there is no need to write an explicit config.
Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option.
Commits: 2af22cb
The text was updated successfully, but these errors were encountered: