On 25-2-2019 13:51, Alex Peshkoff via Firebird-devel wrote:
On 2/24/19 10:52 AM, Mark Rotteveel wrote:
The security database inside the distribution is already initialized
with a Legacy_Auth SYSDBA only. I'm not sure why the same can't be
done for SRP (or at least: isn't done for SRP).
First half of an answer is very simple - in order to avoid network
server running with SYSDBA/masterkey login in default configuration.
Looking at this discussion I once again notice that this protection is
rather efficient :)
Then lets change this question to why the security database in the
distribution isn't initialized for SRP (ie having the PLG$SRP table,
maybe other things needed). Would it be possible to initialize it as
part of the distribution **without** having a user present? That at
least would avoid the "Look at the compatibility chapter" error.
And given the default security database does contain a legacy auth with
SYSDBA/masterke it is insecure anyway for people who'll enable Legacy_Auth.
The problem is essentially
http://tracker.firebirdsql.org/browse/CORE-5485 which Alex doesn't
consider to be a bug.
If you create a single Srp user, this will go away. And you have to
create a user (or users) anyway for your application(s), so why not
just use Srp for that?
To be precise - if some application does not use firebird's access
rights control (it's using same login for all attaches) and you are
quite sure in reliability of infrastructure protecting server running
firebird from undesired access I see no reason to use srp. Legacy plugin
is faster - needs less CPU to establish connection. But in this case
what's a need to add more plugins to configuration file?
And I'm looking at it from the perspective that the current defaults
seem to introduce - in my view - unnecessary hurdles / complications...
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
