Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 23-2-2019 20:56, Lester Caine wrote: On 23/02/2019 19:21, Paul Reeves wrote: It is linked to the fact that rpm installs don't allow interaction at install time, so the security database is not initialised. IIRC, rpm install 2.5 used to initialize security database using random password for sysdba. Was it changed in 3.0? I only know the suse packages. The security db was left unitialised. The fresh install using the packages currently supported by SUSE Leap 15.0 defaults to 'masterke', and as always the first thing I do is change that via flamerobin. The security database inside the distribution is already initialized with a Legacy_Auth SYSDBA only. I'm not sure why the same can't be done for SRP (or at least: isn't done for SRP). And that has been done in this case. My problem with the 'Compatibility chapter' on the previous install was that I was unable to access the database until I REMOVED Srp from the config file. I have no worries about the legacy system being 'less secure' simply because the only application accessing it is PHP on a local network link and I don't need any more than that so why should I have to do any more than getting a single user working? The problem is essentially http://tracker.firebirdsql.org/browse/CORE-5485 which Alex doesn't consider to be a bug. If you create a single Srp user, this will go away. And you have to create a user (or users) anyway for your application(s), so why not just use Srp for that? Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Start transaction from base transaction
On Sat, Feb 23, 2019, 21:30 Vlad Khorsun wrote: > 23.02.2019 21:14, Adriano dos Santos Fernandes wrote: > > Hi! > > > > After changes to use commit number instead of base transaction number, I > > offer to make that interfaces for the feature: > >I offer to not introduce additional confusing with different usages of > commit > numbers. > >Commit Number (CN) itself is an unique value assigned to the every > committed > transaction. The source of that value is per-database counter. When some > database > snapshot is created it uses current value of database counter of commit > numbers > as own identifier. Lets name it Snapshot Number (SN) to distinguish from > Commit > Number assigned to transaction. The sourse of CN and SN is the same, but > usage > and meaning is very different ! > >Therefore > > > SQL command: SET TRANSACTION SNAPSHOT COMMIT NUMBER > > > > (some variant as SNAPSHOT FROM COMMIT NUMBER or SNAPSHOT BASE COMMIT > > NUMBER may be acceptable) > > maybe: > SET TRANSACTION SNAPSHOT [USING SNAPSHOT ] > or > SET TRANSACTION SNAPSHOT [USING SNAPSHOT NUMBER ] > What I dislike here is double SNAPSHOT words. > > > > TPB: isc_tpb_snapshot_commit_number, number> > > isc_tpb_snapshot_number > > Regards, > Vlad > > PS we also must add isc_info_tra_snapshot_number and, probably, context > variable. > Don't we already have context SNAPSHOT_CN? It already has the same meaning of the new feature, so therefore what context you would want to add? And then SNAPSHOT_CN means "SNAPSHOT COMMIT NUMBER", it's the reason for the syntax that I offered. Adriano Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Start transaction from base transaction
23.02.2019 21:14, Adriano dos Santos Fernandes wrote: Hi! After changes to use commit number instead of base transaction number, I offer to make that interfaces for the feature: I offer to not introduce additional confusing with different usages of commit numbers. Commit Number (CN) itself is an unique value assigned to the every committed transaction. The source of that value is per-database counter. When some database snapshot is created it uses current value of database counter of commit numbers as own identifier. Lets name it Snapshot Number (SN) to distinguish from Commit Number assigned to transaction. The sourse of CN and SN is the same, but usage and meaning is very different ! Therefore SQL command: SET TRANSACTION SNAPSHOT COMMIT NUMBER (some variant as SNAPSHOT FROM COMMIT NUMBER or SNAPSHOT BASE COMMIT NUMBER may be acceptable) maybe: SET TRANSACTION SNAPSHOT [USING SNAPSHOT ] or SET TRANSACTION SNAPSHOT [USING SNAPSHOT NUMBER ] TPB: isc_tpb_snapshot_commit_number, isc_tpb_snapshot_number Regards, Vlad PS we also must add isc_info_tra_snapshot_number and, probably, context variable. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 23/02/2019 19:21, Paul Reeves wrote: It is linked to the fact that rpm installs don't allow interaction at install time, so the security database is not initialised. IIRC, rpm install 2.5 used to initialize security database using random password for sysdba. Was it changed in 3.0? I only know the suse packages. The security db was left unitialised. The fresh install using the packages currently supported by SUSE Leap 15.0 defaults to 'masterke', and as always the first thing I do is change that via flamerobin. And that has been done in this case. My problem with the 'Compatibility chapter' on the previous install was that I was unable to access the database until I REMOVED Srp from the config file. I have no worries about the legacy system being 'less secure' simply because the only application accessing it is PHP on a local network link and I don't need any more than that so why should I have to do any more than getting a single user working? -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On Sat, 23 Feb 2019 17:54:40 +0100 Dimitry Sibiryakov wrote: > 23.02.2019 17:51, Paul Reeves wrote: > > It is linked to the fact that rpm installs don't allow > > interaction at install time, so the security database is not > > initialised. > >IIRC, rpm install 2.5 used to initialize security database using > random password for sysdba. Was it changed in 3.0? > I only know the suse packages. The security db was left unitialised. Paul -- Paul Reeves http://www.ibphoenix.com Supporting users of Firebird Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Start transaction from base transaction
Hi! After changes to use commit number instead of base transaction number, I offer to make that interfaces for the feature: SQL command: SET TRANSACTION SNAPSHOT COMMIT NUMBER (some variant as SNAPSHOT FROM COMMIT NUMBER or SNAPSHOT BASE COMMIT NUMBER may be acceptable) TPB: isc_tpb_snapshot_commit_number, Adriano Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
23.02.2019 17:51, Paul Reeves wrote: It is linked to the fact that rpm installs don't allow interaction at install time, so the security database is not initialised. IIRC, rpm install 2.5 used to initialize security database using random password for sysdba. Was it changed in 3.0? -- WBR, SD. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On Sat, 23 Feb 2019 16:28:46 +0100 Mark Rotteveel wrote: > > I think that a lot of grief could have been avoided if SRP > initialization would have been done as part of the default > initialization of the security3.fdb in the distribution instead of > leaving that to the users. > As far as linux and Firebird 3 is concerned that is definitely a problem. It is linked to the fact that rpm installs don't allow interaction at install time, so the security database is not initialised. Paul -- Paul Reeves http://www.ibphoenix.com Supporting users of Firebird Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Firebird 4 beta 1 Windows installer says it is suitable for production use
On Sat, 23 Feb 2019 09:03:05 +0100 Mark Rotteveel wrote: > The Firebird 4 beta 1 installer says (information after install): > > """ > Firebird 4.0 has undergone extensive testing and is > intended for widespread production use. However, users > are recommended to follow standard practices before > deploying this release on a production server. > """ > > For the next beta we should probably tweak this ti says it is **NOT** > intended for widespread production use. That is definitely a bug. I'm not sure what happened but there are meant to be two boiler plate readme's - one for dev releases and one for prod releases. That one is surely not appropriate for a beta. I'll look into it. Paul -- Paul Reeves http://www.ibphoenix.com Supporting users of Firebird Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 23-2-2019 13:02, Lester Caine wrote: On 23/02/2019 11:23, Mark Rotteveel wrote: Yes it is working, even with Firebird 3; except maybe Firebird 3.0.0 and 3.0.1 as I recall there were issues with some of the early versions, but I can't recall if that was pre-release or not. I beg to differ! I've just been working through this in the last few days. Clean machine ... fresh install of SUSE 15.0/Gnome ... all software installed onto new main disk ( data disks separate ). Firebird 3.0.2 along with Flamerobin 0.9.3.1, nginx 1.14.0 and PHP 7.2.5 Why 3.0.2? Firebird 3.0.4 has been out for almost 5 months now (and 3.0.3 a year). From previous experience I had stripped the firebird.conf back to AuthServer = Legacy_Auth AuthClient = Legacy_Auth UserManager = Legacy_UserManager WireCrypt = Disabled I can add ', Srp' to UserManager and AuthClient but if I add it to AuthServer then both Flamerobin and PHP fail to connect. FlameRobin gives --- Engine Code : 335544472 Engine Message : Your user name and password are not defined. Ask your database administrator to set up a Firebird login. Install incomplete, please read the Compatibility chapter in the release notes for this version --- So currently I have AuthServer = Legacy_Auth AuthClient = Legacy_Auth, Srp UserManager = Legacy_UserManager, Srp WireCrypt = Disabled And I am connecting and working ... AVOIDING following the Compatibility chapter ... so where am I going wrong? Why are you spending so much energy avoiding that chapter? In any case, if Srp is checked before Legacy_Auth the security database must be properly initialized for Srp. And Srp will be checked first if AuthServer **contains** Srp (in any order) when the client starts with Srp (the client is leading with regard to order of authentication). If you are using a Firebird 3 fbclient that doesn't have a firebird.conf in the same directory as the fbclient.dll / libfbclient.so, it will use the default AuthClient setting, which has Srp first, which means an authentication attempt with Srp will be done first. Which is likely what happens in your case. The AuthClient setting in the server firebird.conf is only applied when the server acts as a client (execute statement on external datasource), it doesn't apply to client libraries in a different location. You need to initialize the security database for SRP to get rid of that error. This can be done by creating a user (any user) with SRP. Creating a user (and - if not needed - dropping that user) should be enough (see also a similar exchange we had in January, eg my post in firebird-support at 17 Jan 2019 21:28:16 +0100). create user someuser password 'xyz' using plugin Srp; commit; -- optionally drop user drop user someuser using plugin Srp; commit; I think that a lot of grief could have been avoided if SRP initialization would have been done as part of the default initialization of the security3.fdb in the distribution instead of leaving that to the users. I think in your setup you shouldn't even need to use Legacy_Auth assuming all clients can be deployed with a Firebird 3 fbclient. Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Setting time zone bind through DPB?
On 23-2-2019 13:17, Lester Caine wrote: On 23/02/2019 11:39, Mark Rotteveel wrote: That ignores the reality of drivers that are aware of the existence of a feature but haven't yet come around to implementing it (or don't want to implement it). Currently I have no intention of touching FB4 simply because it will conflict with proper reliable management of timezone data. In order to ensure my historic material is not corrupted by the limits imposed by the FB4 hacks to ignore second accuracy in TZ offsets. It's bad enough that the raw data is already corrupted by ignoring pre-1970 rules and serving up the truncated data without ANY indication. Then taking that data and limiting it to minute accuracy is simply wrong. I see the current offering as being something that will have to be completely reworked at some point to be of any use for historic data sets, but then the complete TZ system has to be fixed first! We take the time to build accurate rules sets for events as recent as the 2nd world war, and then they get thrown out because it's 'too much trouble to manage them'! Currently many other parts of the world are going through the same exercise of accurately documenting pre-1970 data, but there is no way currently of distributing this material :( I'm not sure why you replied this to my post. It doesn't seem relevant in the context of my thread. Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Setting time zone bind through DPB?
On 23/02/2019 11:39, Mark Rotteveel wrote: That ignores the reality of drivers that are aware of the existence of a feature but haven't yet come around to implementing it (or don't want to implement it). Currently I have no intention of touching FB4 simply because it will conflict with proper reliable management of timezone data. In order to ensure my historic material is not corrupted by the limits imposed by the FB4 hacks to ignore second accuracy in TZ offsets. It's bad enough that the raw data is already corrupted by ignoring pre-1970 rules and serving up the truncated data without ANY indication. Then taking that data and limiting it to minute accuracy is simply wrong. I see the current offering as being something that will have to be completely reworked at some point to be of any use for historic data sets, but then the complete TZ system has to be fixed first! We take the time to build accurate rules sets for events as recent as the 2nd world war, and then they get thrown out because it's 'too much trouble to manage them'! Currently many other parts of the world are going through the same exercise of accurately documenting pre-1970 data, but there is no way currently of distributing this material :( -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 23/02/2019 11:23, Mark Rotteveel wrote: Yes it is working, even with Firebird 3; except maybe Firebird 3.0.0 and 3.0.1 as I recall there were issues with some of the early versions, but I can't recall if that was pre-release or not. I beg to differ! I've just been working through this in the last few days. Clean machine ... fresh install of SUSE 15.0/Gnome ... all software installed onto new main disk ( data disks separate ). Firebird 3.0.2 along with Flamerobin 0.9.3.1, nginx 1.14.0 and PHP 7.2.5 From previous experience I had stripped the firebird.conf back to AuthServer = Legacy_Auth AuthClient = Legacy_Auth UserManager = Legacy_UserManager WireCrypt = Disabled I can add ', Srp' to UserManager and AuthClient but if I add it to AuthServer then both Flamerobin and PHP fail to connect. FlameRobin gives --- Engine Code: 335544472 Engine Message : Your user name and password are not defined. Ask your database administrator to set up a Firebird login. Install incomplete, please read the Compatibility chapter in the release notes for this version --- So currently I have AuthServer = Legacy_Auth AuthClient = Legacy_Auth, Srp UserManager = Legacy_UserManager, Srp WireCrypt = Disabled And I am connecting and working ... AVOIDING following the Compatibility chapter ... so where am I going wrong? -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Setting time zone bind through DPB?
On 18-2-2019 12:59, Alex Peshkoff via Firebird-devel wrote: On 2/18/19 2:21 PM, Adriano dos Santos Fernandes wrote: On 16/02/2019 12:57, Mark Rotteveel wrote: BTW: similar arguments could be made for the SET DECFLOAT options, but I don't have a need there. The similar SET DECFLOAT wasn't it, so TIME ZONE didn't had too. That backward compatibility bindings were designed in order to make new features work somehow with old, having no idea about them, software. Such software hardly has a good way to place unknown to it items to DPB. New one should better use default bindings cause they provide best (from functionality POV) access to new features. So why overcomplicate server where it's not needed ? That ignores the reality of drivers that are aware of the existence of a feature but haven't yet come around to implementing it (or don't want to implement it). For example, I only want to support time zones in Java 8 (and higher) and not in Java 7 to avoid having to implement it twice because the Java 8 implementation will use the java.time (JSR-310) API as required by JDBC, and this doesn't exist in Java 7. I could also add something like that in Jaybird 3.x, etc (that could apply for both DECFLOAT and WITH TIME ZONE types). And as I mentioned earlier, I'm also concerned about the effects of ALTER SESSION RESET. Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 23-2-2019 10:31, Lester Caine wrote: On 23/02/2019 08:14, Mark Rotteveel (JIRA) wrote: Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option. *IS* including the other options in any of the entries tested and working when one is using FB2.x and FB3 systems in parallel? Certainly I've had to strip everything but Legacy_Auth and Legacy_UserManager in order to get my PHP setups to run with FB3! So is FB4 any different? Yes it is working, even with Firebird 3; except maybe Firebird 3.0.0 and 3.0.1 as I recall there were issues with some of the early versions, but I can't recall if that was pre-release or not. Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 23/02/2019 08:14, Mark Rotteveel (JIRA) wrote: Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option. *IS* including the other options in any of the entries tested and working when one is using FB2.x and FB3 systems in parallel? Certainly I've had to strip everything but Legacy_Auth and Legacy_UserManager in order to get my PHP setups to run with FB3! So is FB4 any different? -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
Enabling legacy authentication in Windows installer leads to less secur config than possible Key: CORE-6011 URL: http://tracker.firebirdsql.org/browse/CORE-6011 Project: Firebird Core Issue Type: Bug Components: Build Issues / Porting, Installation, Security Affects Versions: 4.0 Beta 1 Reporter: Mark Rotteveel When you enable legacy authentication in the Windows installer, it will configure firebird.conf with AuthServer = Legacy_Auth, Srp, Win_Sspi AuthClient = Legacy_Auth, Srp, Win_Sspi This is insecure for two reasons: 1. It is missing the new Srp256 plugin which is the default 2. The order for authentication plugins should be from most secure to least secure to avoid leaking information about credentials of Srp users (eg if Srp256 or Srp succeeds, there is no need to send the password using the less secure UnixCrypt hash in Legacy_Auth). In other words, enabling legacy authentication should produce AuthServer = Srp256, Win_Sspi, Legacy_Auth (or maybe AuthServer = Srp256, Srp, Win_Sspi, Legacy_Auth) The default for AuthClient (AuthClient = Srp256, Srp, Win_Sspi, Legacy_Auth) is already sufficient and secure enough, so there is no need to write an explicit config. Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] Firebird 4 beta 1 Windows installer says it is suitable for production use
The Firebird 4 beta 1 installer says (information after install): """ Firebird 4.0 has undergone extensive testing and is intended for widespread production use. However, users are recommended to follow standard practices before deploying this release on a production server. """ For the next beta we should probably tweak this ti says it is **NOT** intended for widespread production use. Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel