Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabling legacy authentication in Windows installer leads to less secure config than possible [CORE6011] #6261

Open
firebird-automations opened this issue Feb 23, 2019 · 5 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @mrotteveel

When you enable legacy authentication in the Windows installer, it will configure firebird.conf with

AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi

This is insecure for two reasons:

1. It is missing the new Srp256 plugin which is the default
2. The order for authentication plugins should be from most secure to least secure to avoid leaking information about credentials of Srp users (eg if Srp256 or Srp succeeds, there is no need to send the password using the less secure UnixCrypt hash in Legacy_Auth).

In other words, enabling legacy authentication should produce

AuthServer = Srp256, Win_Sspi, Legacy_Auth

(or maybe AuthServer = Srp256, Srp, Win_Sspi, Legacy_Auth)

The default for AuthClient (AuthClient = Srp256, Srp, Win_Sspi, Legacy_Auth) is already sufficient and secure enough, so there is no need to write an explicit config.

Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option.

Commits: 2af22cb

@firebird-automations
Copy link
Collaborator Author

Modified by: @mrotteveel

summary: Enabling legacy authentication in Windows installer leads to less secur config than possible => Enabling legacy authentication in Windows installer leads to less secure config than possible

@firebird-automations
Copy link
Collaborator Author

Modified by: @reevespaul

assignee: Paul Reeves [ paul_reeves ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @reevespaul

I'm wondering if we should even support legacy_auth as an option in the installer in FB4.0.

The original purpose of that feature was to help users migrate from 2.5 to 3.0.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

I suggest not to support legacy authentication in the installer in FB4.0. I'm even unsure should we ask about use of Srp instead Srp256 - starting with 3.0.4 Srp256 is supported, and I do not expect massive arrays of old clients.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Open [ 1 ] => Open [ 1 ]

QA Status: No test => Cannot be tested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment