04.03.2017 18:36, Mark Rotteveel wrote:
> I have some problems with using legacy authentication with Firebird 4:
>
> * Using the default existing legacy sysdba/masterke works
> * Creating a new user with the Legacy_UserManager (create user ...
> password '...' using plugin Legacy_UserManager) or with gsec
> (Legacy_UserManager is the first in the list), and trying to login leads
> to an authentication failure
> * Using gsec to alter the password of the legacy sysdba and then trying
> to login leads to an authentication failure (even if I changed to
> masterke or masterkey)
>
> The above seems to suggest that the Legacy_UserManager is broken when
> hashing passwords. Is that a known issue?
Issue seems new for (at least to me). The reason is that hash of encrypted
passwords is stored with trailing zero's now (guess it was due to recently
introduced support of BINARY chars). See below:
fb40\temp\x64\debug\firebird>isql SECURITY4.FDB -user sysdba
Database: SECURITY4.FDB, User: SYSDBA
SQL> set list;
SQL> show table plg$users;
PLG$USER_NAME (SEC$USER_NAME) VARCHAR(63) Not Null
PLG$GROUP_NAME (SEC$USER_NAME) VARCHAR(63) Nullable
PLG$UID (PLG$ID) INTEGER Nullable
PLG$GID (PLG$ID) INTEGER Nullable
PLG$PASSWD (PLG$PASSWD) VARBINARY(64) Not Null
PLG$COMMENT (RDB$DESCRIPTION) BLOB segment 80, subtype TEXT
CHARACTER SET UTF8 Nullable
PLG$FIRST_NAME (SEC$NAME_PART) VARCHAR(32) Nullable
PLG$MIDDLE_NAME (SEC$NAME_PART) VARCHAR(32) Nullable
PLG$LAST_NAME (SEC$NAME_PART) VARCHAR(32) Nullable
CONSTRAINT INTEG_2:
Primary key (PLG$USER_NAME)
SQL>
Note, PLG$PASSWD have type VARBINARY.
SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from plg$users;
PLG$USER_NAME SYSDBA
PLG$PASSWD
4E4C74776373394C72784C4D4F5968473075474D3969364B53376D66
3351414B764656706D52673D
OCTET_LENGTH 40
PLG$USER_NAME VLAD
PLG$PASSWD
5344516E344D62486F466265444C52523246507066304E556E48304D
736B4352764F644A32446F3D000000000000000000000000000000000000000000000000
OCTET_LENGTH 64
You see the difference. It also explains, why SYSDBA account works.
Look at fb3:
F:\FB2\fb30\temp\x64\debug\firebird>isql SECURITY3.FDB -user sysdba
Database: SECURITY3.FDB, User: SYSDBA
SQL> set list;
SQL> show table plg$users;
PLG$USER_NAME (SEC$USER_NAME) VARCHAR(31) CHARACTER SET
UNICODE_FSS Not Null
PLG$GROUP_NAME (SEC$USER_NAME) VARCHAR(31) CHARACTER SET
UNICODE_FSS Nullable
PLG$UID (PLG$ID) INTEGER Nullable
PLG$GID (PLG$ID) INTEGER Nullable
PLG$PASSWD (PLG$PASSWD) VARCHAR(64) CHARACTER SET OCTETS
Not Null
PLG$COMMENT (RDB$DESCRIPTION) BLOB segment 80, subtype TEXT
CHARACTER SET UNICODE_FSS Nullable
PLG$FIRST_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET
UNICODE_FSS Nullable
PLG$MIDDLE_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET
UNICODE_FSS Nullable
PLG$LAST_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET
UNICODE_FSS Nullable
CONSTRAINT INTEG_2:
Primary key (PLG$USER_NAME)
PLG$PASSWD is VARCHAR(64) CHARACTER SET OCTETS here, and
SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from plg$users;
PLG$USER_NAME SYSDBA
PLG$PASSWD
4E4C74776373394C72784C4D4F5968473075474D3969364B53376D663351414B764656706D52673D
OCTET_LENGTH 40
PLG$USER_NAME VLAD
PLG$PASSWD
6C4C493241657136692F6A53524547572B6D5A36444D7A5231384663546758547467684D534D343D
OCTET_LENGTH 40
there is no trailing zero's.
I'll commit a fix to ignore that trailing zero's when hashes is compared.
> Also curious: initializing the security database for Srp adds two Srp
> SYSDBA accounts (but it might always have done that).
I think you mixed two SYSDBA accounts created by different plugins.
See below (security4.fdb just copied from gen\dbs\security.fdb) :
a) default firebird.conf
fb40\temp\x64\Release\firebird>isql SECURITY4.FDB -user sysdba
Database: SECURITY4.FDB, User: SYSDBA
SQL> set list;
SQL> select * from sec$users;
Statement failed, SQLSTATE = 28000
find/display record error
-Install incomplete, please read the Compatibility chapter in the release notes
for this version
SQL>
SQL> create user SYSDBA password 'masterkey';
SQL> commit;
SQL>
SQL> create user SYSDBA password 'masterkey' using plugin legacy_usermanager;
Statement failed, SQLSTATE = HY000
Missing requested management plugin
SQL> select * from sec$users;
SEC$USER_NAME SYSDBA
SEC$FIRST_NAME <null>
SEC$MIDDLE_NAME <null>
SEC$LAST_NAME <null>
SEC$ACTIVE <true>
SEC$ADMIN <true>
SEC$DESCRIPTION <null>
SEC$PLUGIN Srp
All as expected.
b) change in firebird.conf
UserManager = Srp, Legacy_UserManager
fb40\temp\x64\Release\firebird>isql SECURITY4.FDB -user sysdba
Database: SECURITY4.FDB, User: SYSDBA
SQL> set list;
SQL> select * from sec$users;
SEC$USER_NAME SYSDBA
SEC$FIRST_NAME <null>
SEC$MIDDLE_NAME <null>
SEC$LAST_NAME <null>
SEC$ACTIVE <true>
SEC$ADMIN <true>
SEC$DESCRIPTION <null>
SEC$PLUGIN Srp
SEC$USER_NAME SYSDBA
SEC$FIRST_NAME Sql
SEC$MIDDLE_NAME Server
SEC$LAST_NAME Administrator
SEC$ACTIVE <null>
SEC$ADMIN <true>
SEC$DESCRIPTION <null>
SEC$PLUGIN Legacy_UserManager
SQL> create user SYSDBA password 'masterkey';
Statement failed, SQLSTATE = 23000
add record error
-violation of PRIMARY or UNIQUE KEY constraint "INTEG_5" on table "PLG$SRP"
-Problematic key value is ("PLG$USER_NAME" = 'SYSDBA')
SQL> create user SYSDBA password 'masterkey' using plugin legacy_usermanager;
Statement failed, SQLSTATE = 23000
add record error
-violation of PRIMARY or UNIQUE KEY constraint "INTEG_2" on table "PLG$USERS"
-Problematic key value is ("PLG$USER_NAME" = 'SYSDBA')
Again all as expected.
Regards,
Vlad
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
