| Subject | Re: [Firebird-Java] Re: Denied connections due to character set |
|---|---|
| Author | Mark Rotteveel |
| Post date | 2017-02-14T20:12:52Z |
On 2017-02-14 20:48, 'William L. Thomson Jr.' wlt-ml@...
[Firebird-Java] wrote:
returned an outright error, instead of the login rejection that allows
Jaybird to continue with the next authentication plugin.
release of Jaybird 3 out the door. You can use SRP and Legacy auth
together, it does not have to be one or the other. You can also create
users with the same user name in both plugins so they have the exact
same assigned rights (although technically that is reduced security in
comparison to only SRP).
trying the next plugin is only done if the protocol rejects the first
plugin in the right way.
some caveats in 3.0.0 (see
http://tracker.firebirdsql.org/browse/CORE-5225).
doesn't need wire protocol encryption, but wire protocol encryption does
need SRP (it is used for the key exchange).
Mark
[Firebird-Java] wrote:
> On Tuesday, February 14, 2017 1:42:47 PM EST you wrote:Jaybird normally does support legacy auth, but in this case Firebird has
>> As you mentioned that you are able to connect with Jaybird
>> 2.2, the problem is probably that the security database is currently
>> only initialised for legacy authentication, and not the new SRP
>> (Secure
>> Remote Password) authentication.
>
> Why is Jaybird 3 not working with legacy authentication then?
returned an outright error, instead of the login rejection that allows
Jaybird to continue with the next authentication plugin.
>> Firebird 3 now has separateThe plan is to have it configurable, but I first want to get the initial
>> authentication plugins, which individually need to initialise the
>> security database. Jaybird 3 first tries the SRP protocol, and only if
>> that is explicitly rejected by Firebird it tries the legacy
>> authentication.
>
> Seems it should be configurable like Firebird. I have Firebird setup
> for Legacy
> then SRP. Still migrating older stuff, so till everything is SRP I
> cannot
> switch. It seems it is not failing back to legacy, as that should work.
release of Jaybird 3 out the door. You can use SRP and Legacy auth
together, it does not have to be one or the other. You can also create
users with the same user name in both plugins so they have the exact
same assigned rights (although technically that is reduced security in
comparison to only SRP).
>> I will need to check if this theory is right (and if I have to handleThe workflow is currently: first Srp is tried, then Legacy_Auth, but
>> this specific error also as a SRP rejection).
>
> That sounds logical. If I do not have SRP setup and it is only trying
> that
> then makes much more sense as to the issue.
trying the next plugin is only done if the protocol rejects the first
plugin in the right way.
>As I said, it is possible to use both SRP and Legacy_Auth together (with
>> Things you can try to also initialise the security database for SRP
>> (I'm
>> not sure if all of these options work, but I currently can't test
>> this,
>> maybe tomorrow):
>
> I thought I did, but I had some issues with that. Not to mention needed
> to
> support legacy so did not have a clear path. I will look into moving
> off
> legacy.
some caveats in 3.0.0 (see
http://tracker.firebirdsql.org/browse/CORE-5225).
>> 1) Make sure Srp is included in the UserManager setting inThat shouldn't normally be a problem
>> firebird.conf
>> (restart the service after changing the value). Try to create a user
>> (eg
>> in flamerobin) with:
>
> It is just reversed
>
> AuthServer = Legacy_Auth, Srp
> AuthClient = Legacy_Auth, Srp
> UserManager = Legacy_UserManager, Srp
>No, Jaybird 3 doesn't support wire protocol encryption. SRP itself
>> CREATE USER jaybird PASSWORD 'jdbc' USING PLUGIN Srp;
>>
>> You can drop the user afterwards.
>>
>> Try if you can connect now, otherwise try:
>>
>> 2) Make sure Srp is **first** in the UserManager setting in
>> firebird.conf
>>
>> start gsec:
>> gsec -user sysdba -password masterkey
>>
>> This might show a message that the security database is now
>> initialised
>> iirc.
>
> I know I have sysdba setup. I am pretty sure the security database is
> initialized, just using legacy vs srp.
>
>> If in doubt, create a user:
>> add jaybird -pw jdbc
>>
>> You can drop the user afterwards.
>>
>> You can revert the changes to firebird.conf of steps 1 and 2
>> afterwards.
>>
>> Let me know if it works. If it doesn't work, can you let me know from
>> your firebird.conf the values of: UserManager, AuthServer, and
>> WireCrypt?
>
> WireCrypt = Disabled
>
> Maybe that is the issue, since I think it uses encrypted.
doesn't need wire protocol encryption, but wire protocol encryption does
need SRP (it is used for the key exchange).
>Are you currently using Firebird 3.0.0, or 3.0.1?
>> I will try to reproduce this problem, and let you know the actual
>> steps
>> to resolve this (and update the wiki and release notes).
>
> Ok sounds good. I am happy to provide any information to replicate.
Mark