On 6-3-2019 13:33, Paul Reeves wrote:
The installer in FB4 Beta 1 doesn't implement this option correctly,
simply because srp256 is not included if the user checks the box. That
is simple to fix.
However the underlying problem is more complex. We now have two forms
of legacy auth (without an underscore) - srp for Firebird 3 and
legacy_auth for Firebird 2.?.
Srp is not a legacy authentication, it is just slightly less secure than
Srp256, and Firebird 3.0.4 (client and server) also supports Srp256 (and
the others), so only enabling Srp256 + Legacy_Auth would be good enough
if we could assume that people upgrade (which unfortunately, they don't)..
In addition users for Srp, Srp224, Srp256, Srp384 and Srp512 are the
same, it is just the authentication protocol that is (slightly)
different. That is totally different from Legacy_Auth where users are
actually entirely different entities, which is also what causes most of
the problems...
To correctly enable legacy auth at install time the installer
should really be modified to present two questions to the
user, one for Firebird 3 auth and another for Firebird 2 auth.
I don't think that is necessary at all. Enabling Srp256, Legacy_Auth
should be good enough, or alternatively, the installer could show an
option for which plugins to enable or not. I however think that is overkill.
This seems to me to be too complex for a click through install.
Keeping a single question opens up FB4 servers to all legacy auth.
Changing the question so that FB4 considers legacy auth to only
include Fb3 and not FB2 _may_ be confusing for those not paying
attention (like almost everybody). And there is a good argument to not
offer either option at install time because enabling legacy auth weakens
security.
I don't think it would be a good idea to label Srp as 'legacy
authentication' at all, because it isn't.
If we choose best security I wonder how much we risk alienating users
who are not 200% committed to firebird. Like it or not we have a
massive user base that is tied to legacy versions of firebird and that
is not going to change overnight. In addition many of those use zero
security at the un/pw level so don't really care about security.
On the other hand, are people that are tied to old versions actually
going to upgrade to Firebird 4? People are still using Firebird 1.5
almost a decade after it was discontinued...
We want to take our users with us. To do so means keeping migration as
simple as possible.
>
What is the opinion of others on this subject?
Maybe the installer of Firebird 4 shouldn't enable Legacy_Auth at all.
Legacy_Auth is deprecated and was only intended transitionally. We
should not continue to drag this along for too long, otherwise twenty
years down the road we'll still be supporting it (see dialect 1...).
People should bite the bullet sooner or later.
I propose:
- Firebird 4 installers should not provide an option to enable Legacy_Auth
- Firebird 5 does not include Legacy_Auth for the server (but the client
still supports it), if people really need it, it should be possible to
use the plugin from FB4 (or something like that)
- Firebird 6 removes support for Legacy_Auth for the client
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
