If you store the SYSDBA password in a table then every time you change
it you have to update the tables.... That said it is always a good
practice to expire passwords!

You should store the password in encrypted form and probably should send
it over the wire still encrypted. The client app could decrypt it and
use it for login to the db.

I am sure there are other ways to do it, this just came to mind first!

-steve

Zd wrote:

>
> Dear Steve,
>
> Thanks for the idea, sounds good.
> How can I get the SYSDBA password from a stored procedure?
>
> Should I store it myself encoded in a table?
>
> BTW: Is it a wise idea to change the SYSDBA password periodically in
> this case?
>
> Thanks:
> Zd
>
> ----- Original Message -----
> From: Steve Wiser
> To: firebird-support@yahoogroups.com
> <mailto:firebird-support%40yahoogroups.com>
> Sent: Friday, August 29, 2008 2:34 PM
> Subject: Re: [firebird-support] Need security advice from the pros
>
> Since you state you have to work with sysdba in production as the db
> user what about trying something like this:
>
> 1) Have client talk to the server over an ecnrypted tunnel only
> 2) Create a user that can only run a login stored procedure that takes
> the application user and password and returns the correct sysdba password
>
> Your app will login using the hard coded user that can only run the
> login routine and the user will have to put in their correct user ID and
> password. If it is good then the login procedure returns the sysdba
> password to your app and you can then reconnect using the sysdba user.
>
> -steve
>
> Zd wrote:
> >
> > Dear Group,
> >
> > Please help me with the following security considerations:
> >
> > My program connects to an FB2.1 DB running on XP. Many different users
> > are going to use my client program to connect to the database.
> >
> > Unfortunately, my program doesn't use "users" in the FB DB, instead it
> > uses the SYSDBA password to connect to the database. Each user has a
> > login/pass pair stored in the database in a table that is used for
> > authentication inside my program.
> >
> > Here are my problems:
> > 1, I can't redesign the program since it has a sofisticated built-in
> > rights management mechanism, so I have to stay with the solution
> > outlined above.
> > 2, Clients will be connecting through LAN and through the Internet -
> > so the database will be exposed on the Internet.
> > 3, The program will be running at different companies.
> >
> > I came up with the following ideas:
> > 1, Storing the SYSDBA pass encoded in the app's code. -> The problem:
> > a good hacker could reverse engineer the code and get access to any of
> > companies' databases running my program!
> > 2, Storing the SYSDBA pass in a separate file, using a different
> > passfile for each company -> The problem: a good hacker could get and
> > reverse engineer the code from the file and hack the company's database
> > 3, Creating a separate DB user for each user of my program's users
> > with SYSDBA rights. Username / password would match their logins from
> > the program. -> The problem: the users could use a simple DB manager
> > to connect to the database and have access to all the data.
> > 4, The SYSDBA password is changed every night automatically. Before
> > the client authenticates, it gets the actual password using an SSL
> > connection (by giving their username / password). The encoded password
> > is sent over the network. -> The problem: a good hacker could get the
> > password sent over the Internet. One day should be more than enough to
> > get the contents of the entire database!
> >
> > Any other options that I have available? From the above, option 4
> > seems to be the most secure for more, but any ideas are welcome!
> >
> > Thank you:
> > Zd
> >
> > [Non-text portions of this message have been removed]
> >
> >
>
> [Non-text portions of this message have been removed]
>
>