Subject Re: [Firebird-Java] Re: Denied connections due to character set
Author Mark Rotteveel
On 2017-02-14 20:48, 'William L. Thomson Jr.' wlt-ml@...
[Firebird-Java] wrote:
> On Tuesday, February 14, 2017 1:42:47 PM EST you wrote:
>> As you mentioned that you are able to connect with Jaybird
>> 2.2, the problem is probably that the security database is currently
>> only initialised for legacy authentication, and not the new SRP
>> (Secure
>> Remote Password) authentication.
> Why is Jaybird 3 not working with legacy authentication then?

Jaybird normally does support legacy auth, but in this case Firebird has
returned an outright error, instead of the login rejection that allows
Jaybird to continue with the next authentication plugin.

>> Firebird 3 now has separate
>> authentication plugins, which individually need to initialise the
>> security database. Jaybird 3 first tries the SRP protocol, and only if
>> that is explicitly rejected by Firebird it tries the legacy
>> authentication.
> Seems it should be configurable like Firebird. I have Firebird setup
> for Legacy
> then SRP. Still migrating older stuff, so till everything is SRP I
> cannot
> switch. It seems it is not failing back to legacy, as that should work.

The plan is to have it configurable, but I first want to get the initial
release of Jaybird 3 out the door. You can use SRP and Legacy auth
together, it does not have to be one or the other. You can also create
users with the same user name in both plugins so they have the exact
same assigned rights (although technically that is reduced security in
comparison to only SRP).

>> I will need to check if this theory is right (and if I have to handle
>> this specific error also as a SRP rejection).
> That sounds logical. If I do not have SRP setup and it is only trying
> that
> then makes much more sense as to the issue.

The workflow is currently: first Srp is tried, then Legacy_Auth, but
trying the next plugin is only done if the protocol rejects the first
plugin in the right way.

>> Things you can try to also initialise the security database for SRP
>> (I'm
>> not sure if all of these options work, but I currently can't test
>> this,
>> maybe tomorrow):
> I thought I did, but I had some issues with that. Not to mention needed
> to
> support legacy so did not have a clear path. I will look into moving
> off
> legacy.

As I said, it is possible to use both SRP and Legacy_Auth together (with
some caveats in 3.0.0 (see

>> 1) Make sure Srp is included in the UserManager setting in
>> firebird.conf
>> (restart the service after changing the value). Try to create a user
>> (eg
>> in flamerobin) with:
> It is just reversed
> AuthServer = Legacy_Auth, Srp
> AuthClient = Legacy_Auth, Srp
> UserManager = Legacy_UserManager, Srp

That shouldn't normally be a problem

>> You can drop the user afterwards.
>> Try if you can connect now, otherwise try:
>> 2) Make sure Srp is **first** in the UserManager setting in
>> firebird.conf
>> start gsec:
>> gsec -user sysdba -password masterkey
>> This might show a message that the security database is now
>> initialised
>> iirc.
> I know I have sysdba setup. I am pretty sure the security database is
> initialized, just using legacy vs srp.
>> If in doubt, create a user:
>> add jaybird -pw jdbc
>> You can drop the user afterwards.
>> You can revert the changes to firebird.conf of steps 1 and 2
>> afterwards.
>> Let me know if it works. If it doesn't work, can you let me know from
>> your firebird.conf the values of: UserManager, AuthServer, and
>> WireCrypt?
> WireCrypt = Disabled
> Maybe that is the issue, since I think it uses encrypted.

No, Jaybird 3 doesn't support wire protocol encryption. SRP itself
doesn't need wire protocol encryption, but wire protocol encryption does
need SRP (it is used for the key exchange).

>> I will try to reproduce this problem, and let you know the actual
>> steps
>> to resolve this (and update the wiki and release notes).
> Ok sounds good. I am happy to provide any information to replicate.

Are you currently using Firebird 3.0.0, or 3.0.1?