Discussion:
[Firebird-devel] Connecting to Firebird 3
Mark Rotteveel
2012-04-18 17:55:45 UTC
Permalink
I just installed Firebird 3 from the Windows x64 zip kit, but I am
unable to authenticate using FlameRobin, or using Jaybird.

I consequently get the error:
---------------------------
Unhandled Error in FlameRobin
---------------------------
*** IBPP::SQLException ***
Context: Database::Connect
Message: isc_attach_database failed

SQL Message : -902
Unsuccessful execution caused by a system error that precludes
successful execution of subsequent statements

Engine Code : 335544472
Engine Message :
Your user name and password are not defined. Ask your database
administrator to set up a Firebird login.

---------------------------
OK
---------------------------

I already added sysdba / masterkey using gsec -add sysdba -pw masterkey.

In the conf file I have uncommented:
AuthClient = Srp, Win_Sspi, Legacy_Auth

Am I missing an additional step to get things working with legacy
authentication?
--
Mark Rotteveel
Dmitry Yemanov
2012-04-18 18:20:14 UTC
Permalink
Post by Mark Rotteveel
I just installed Firebird 3 from the Windows x64 zip kit, but I am
unable to authenticate using FlameRobin, or using Jaybird.
What fbclient version is loaded by FlameRobin?
Post by Mark Rotteveel
AuthClient = Srp, Win_Sspi, Legacy_Auth
Try this:
AuthClient = Legacy_Auth, Win_Sspi, Srp


Dmitry
Mark Rotteveel
2012-04-18 18:36:04 UTC
Permalink
Post by Dmitry Yemanov
Post by Mark Rotteveel
I just installed Firebird 3 from the Windows x64 zip kit, but I am
unable to authenticate using FlameRobin, or using Jaybird.
What fbclient version is loaded by FlameRobin?
Post by Mark Rotteveel
AuthClient = Srp, Win_Sspi, Legacy_Auth
AuthClient = Legacy_Auth, Win_Sspi, Srp
Tried that, didn't work.

BTW: I also tried a suggestion in a post from 31-01-2011 (by Alex):
"Understood. This is problem in windows packaging.
To make it work right now please add to the firebird root dir file
plugins.conf with the following 3 lines:
Plugin = Legacy_Auth
{


Module =
$(root)/plugins/user_management


}"

Doing this just makes the Firebird service and instsvc hang on startup.
--
Mark Rotteveel
Vlad Khorsun
2012-04-18 18:30:56 UTC
Permalink
Post by Mark Rotteveel
AuthClient = Srp, Win_Sspi, Legacy_Auth
This is client setting.
Post by Mark Rotteveel
Am I missing an additional step to get things working with legacy
authentication?
Add Legacy_Auth to the AuthServer setting

Regards,
Vlad
Mark Rotteveel
2012-04-18 18:39:21 UTC
Permalink
Post by Vlad Khorsun
Post by Mark Rotteveel
AuthClient = Srp, Win_Sspi, Legacy_Auth
This is client setting.
Post by Mark Rotteveel
Am I missing an additional step to get things working with legacy
authentication?
Add Legacy_Auth to the AuthServer setting
Thanks, I had overlooked that setting, I thought both lines started with
AuthClient and had wondered why it was shown twice :|

Mark
--
Mark Rotteveel
Mark Rotteveel
2012-04-18 18:41:20 UTC
Permalink
Post by Mark Rotteveel
Post by Vlad Khorsun
Post by Mark Rotteveel
AuthClient = Srp, Win_Sspi, Legacy_Auth
This is client setting.
Post by Mark Rotteveel
Am I missing an additional step to get things working with legacy
authentication?
Add Legacy_Auth to the AuthServer setting
Thanks, I had overlooked that setting, I thought both lines started with
AuthClient and had wondered why it was shown twice :|
Actually: I celebrated to soon. This solves the problem for FlameRobin,
but not for Jaybird.

Mark
--
Mark Rotteveel
Mark Rotteveel
2012-04-18 20:07:29 UTC
Permalink
Post by Mark Rotteveel
Post by Mark Rotteveel
Post by Vlad Khorsun
Post by Mark Rotteveel
AuthClient = Srp, Win_Sspi, Legacy_Auth
This is client setting.
Post by Mark Rotteveel
Am I missing an additional step to get things working with legacy
authentication?
Add Legacy_Auth to the AuthServer setting
Thanks, I had overlooked that setting, I thought both lines started with
AuthClient and had wondered why it was shown twice :|
Actually: I celebrated to soon. This solves the problem for FlameRobin,
but not for Jaybird.
It looks like Jaybird uses an authentication mechanism that is no longer
supported with Firebird 3:

Hex dump from wireshark for both Jaybird (fails) and Flamerobin
(succeeds) is attached. Most obvious thing I notice that Jaybird sends
the password in the clear and Flamerobin doesn't.

I did manage to connect using the native Jaybird (with a 2.5 client
library).

Mark
--
Mark Rotteveel
Dmitry Yemanov
2012-04-19 03:58:22 UTC
Permalink
Post by Mark Rotteveel
It looks like Jaybird uses an authentication mechanism that is no longer
Hex dump from wireshark for both Jaybird (fails) and Flamerobin
(succeeds) is attached. Most obvious thing I notice that Jaybird sends
the password in the clear and Flamerobin doesn't.
Nice catch. As far as I see, we don't support authentication with plain
(unhashed) passwords anymore. I don't remember whether it was intended
or not, but it's surely a regression. I hope Alex will comment with more
details later today.


Dmitry
Александр Пешков
2012-04-19 05:35:13 UTC
Permalink
Post by Mark Rotteveel
It looks like Jaybird uses an authentication mechanism that is no longer
Hex dump from wireshark for both Jaybird (fails) and Flamerobin
(succeeds) is attached. Most obvious thing I notice that Jaybird sends
the password in the clear and Flamerobin doesn't.
I did manage to connect using the native Jaybird (with a 2.5 client
library).
Looks like
Mark Rotteveel
2012-04-19 07:22:14 UTC
Permalink
Post by Mark Rotteveel
It looks like Jaybird uses an authentication mechanism that is no longer
Hex dump from wireshark for both Jaybird (fails) and Flamerobin
(succeeds) is attached. Most obvious thing I notice that Jaybird sends
the password in the clear and Flamerobin doesn't.
I did manage to connect using the native Jaybird (with a 2.5 client
library).
Looks like I've really killed that authentication method. Will fix.
Thanks. I also created a ticket to see if it is easy to change Jaybird to
use the hashed authentication for Jaybird 2.2, but I don't want to do major
changes in the wire protocol for Jaybird 2.2 (I had that planned for 2.3).
Dmitry Yemanov
2012-04-19 07:36:15 UTC
Permalink
Post by Mark Rotteveel
Thanks. I also created a ticket to see if it is easy to change Jaybird to
use the hashed authentication for Jaybird 2.2, but I don't want to do major
changes in the wire protocol for Jaybird 2.2 (I had that planned for 2.3).
It has very little to do with the wire protocol. It's just a matter of
using isc_dpb_password_enc instead of isc_dpb_password during connection
time, and hashing the string manually. It will be compatible with all
IB/FB versions existing out there.


Dmitry
Mark Rotteveel
2012-04-19 08:02:59 UTC
Permalink
Post by Dmitry Yemanov
Post by Mark Rotteveel
Thanks. I also created a ticket to see if it is easy to change Jaybird to
use the hashed authentication for Jaybird 2.2, but I don't want to do major
changes in the wire protocol for Jaybird 2.2 (I had that planned for 2.3).
It has very little to do with the wire protocol. It's just a matter of
using isc_dpb_password_enc instead of isc_dpb_password during connection
time, and hashing the string manually. It will be compatible with all
IB/FB versions existing out there.
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?

Mark
Dmitry Yemanov
2012-04-19 08:17:09 UTC
Permalink
Post by Mark Rotteveel
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?
Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/
(pre-FB3) or in /src/common/ (trunk).


Dmitry
Kjell Rilbe
2012-04-19 08:23:16 UTC
Permalink
Post by Dmitry Yemanov
Post by Mark Rotteveel
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?
Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/
(pre-FB3) or in /src/common/ (trunk).
Er... I am a real novice when it comes to security, but perhaps you in
the dev team should read this, which has something to say about passord
hashes based on DES (too fast):

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

I've also seen mention of Rfc2898, which seems to be a good option for
password hashes.

Kjell
--
--------------------------------------
Kjell Rilbe
DataDIA AB
E-post: ***@datadia.se
Telefon: 08-761 06 55
Mobil: 0733-44 24 64
Mark Rotteveel
2012-04-19 08:28:22 UTC
Permalink
Post by Kjell Rilbe
Post by Dmitry Yemanov
Post by Mark Rotteveel
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?
Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/
(pre-FB3) or in /src/common/ (trunk).
Er... I am a real novice when it comes to security, but perhaps you in
the dev team should read this, which has something to say about passord
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
Post by Kjell Rilbe
I've also seen mention of Rfc2898, which seems to be a good option for
password hashes.
We are discussing the legacy password hash, that is being used by Firebird
2.5 and earlier (and if I understand Dmitry correctly: has been in use
since before IB6). Firebird 3 will use SRP
(http://www.ietf.org/rfc/rfc2945.txt ) for secure authentication.

Mark
Mark Rotteveel
2012-04-19 18:48:06 UTC
Permalink
Post by Dmitry Yemanov
Post by Mark Rotteveel
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?
Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/
(pre-FB3) or in /src/common/ (trunk).
Is it standard DES, or a modification?

Mark
--
Mark Rotteveel
Alex Peshkoff
2012-04-20 06:40:29 UTC
Permalink
Post by Mark Rotteveel
Post by Dmitry Yemanov
Post by Mark Rotteveel
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?
Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/
(pre-FB3) or in /src/common/ (trunk).
Is it standard DES, or a modification?
Mark, I'm not absolutely sure what kind of DES is used, and telling true
do not care too much. I think you should not worry about implementing ti
in Java client - it anyway adds absolutely no security compared with
sending clear password over the wire. And I will fix FB3 to accept it.

It's much more useful to decide what to do with SRP. And (taking wider
look at it) - will it be possible to load client parts of plugins by
Java client?
Mark Rotteveel
2012-04-20 07:10:41 UTC
Permalink
Post by Alex Peshkoff
Post by Mark Rotteveel
Post by Dmitry Yemanov
Post by Mark Rotteveel
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?
Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/
(pre-FB3) or in /src/common/ (trunk).
Is it standard DES, or a modification?
Mark, I'm not absolutely sure what kind of DES is used, and telling true
do not care too much. I think you should not worry about implementing ti
in Java client - it anyway adds absolutely no security compared with
sending clear password over the wire. And I will fix FB3 to accept it.
I had a look yesterday and I couldn't easily find out if it was standard
DES; comparing some Java DES implementations I did find commonalities, but
some of the operations (and optimizations?) and pointer magic done are hard
to follow if you are not that well-versed in C. I also saw that most DES
implementations do not use a salt, which makes it harder to follow. Other
examples refer to the use of the DES implementation in the Java API (of
which the source is not directly available; I will need to check the
OpenJDK or BouncyCastle sources).

I am going to think it over, not having to implement it is of course far
easier.
Post by Alex Peshkoff
It's much more useful to decide what to do with SRP. And (taking wider
look at it) - will it be possible to load client parts of plugins by
Java client?
Technically yes, but most Java developers usually do not want to bother
with the hassle that is involved with using native libraries. So a pure
java implementation will be needed.

Mark
Alex Peshkoff
2012-04-20 07:19:18 UTC
Permalink
Post by Dmitry Yemanov
Post by Alex Peshkoff
Post by Mark Rotteveel
Post by Dmitry Yemanov
Post by Mark Rotteveel
Ok, that sounds relatively easy. What is the hashing algorithm, and where
in the Firebird sources can I find its implementation?
Something derived from DES, AFAIK. See ENC_crypt(), located in
/src/jrd/
Post by Alex Peshkoff
Post by Mark Rotteveel
Post by Dmitry Yemanov
(pre-FB3) or in /src/common/ (trunk).
Is it standard DES, or a modification?
Mark, I'm not absolutely sure what kind of DES is used, and telling true
do not care too much. I think you should not worry about implementing ti
in Java client - it anyway adds absolutely no security compared with
sending clear password over the wire. And I will fix FB3 to accept it.
I had a look yesterday and I couldn't easily find out if it was standard
DES; comparing some Java DES implementations I did find commonalities, but
some of the operations (and optimizations?) and pointer magic done are hard
to follow if you are not that well-versed in C. I also saw that most DES
implementations do not use a salt, which makes it harder to follow. Other
examples refer to the use of the DES implementation in the Java API (of
which the source is not directly available; I will need to check the
OpenJDK or BouncyCastle sources).
I am going to think it over, not having to implement it is of course far
easier.
The main problem is that I do not know good reason to waste time
implementing it ...
Post by Dmitry Yemanov
Post by Alex Peshkoff
It's much more useful to decide what to do with SRP. And (taking wider
look at it) - will it be possible to load client parts of plugins by
Java client?
Technically yes, but most Java developers usually do not want to bother
with the hassle that is involved with using native libraries. So a pure
java implementation will be needed.
Certainly it will be great to have Java implementation of SRP. BTW, I've
used to rewrite it from Jim's Java code :-)

But in a case when one has some authentication plugin it will be very
useful to learn to load it in order not to rewrite it to Java.
Mark Rotteveel
2012-04-20 07:33:04 UTC
Permalink
Post by Alex Peshkoff
Post by Mark Rotteveel
I am going to think it over, not having to implement it is of course far
easier.
The main problem is that I do not know good reason to waste time
implementing it ...
The challenge to get it to work of course ;)
Post by Alex Peshkoff
Post by Mark Rotteveel
Post by Alex Peshkoff
It's much more useful to decide what to do with SRP. And (taking wider
look at it) - will it be possible to load client parts of plugins by
Java client?
Technically yes, but most Java developers usually do not want to bother
with the hassle that is involved with using native libraries. So a pure
java implementation will be needed.
Certainly it will be great to have Java implementation of SRP. BTW, I've
used to rewrite it from Jim's Java code :-)
But in a case when one has some authentication plugin it will be very
useful to learn to load it in order not to rewrite it to Java.
I see what you mean. I will add it to my list of things to investigate. Of
course the 'workaround' would be that if you do need a native plugin to
authenticate, then you could just as well use the Type 2 (native) driver .
This uses fbclient, which - I assume - should be able to load the plugin by
itself.

Mark
Alex Peshkoff
2012-04-20 11:23:11 UTC
Permalink
Post by Mark Rotteveel
Post by Alex Peshkoff
Post by Mark Rotteveel
I am going to think it over, not having to implement it is of course
far
Post by Alex Peshkoff
Post by Mark Rotteveel
easier.
The main problem is that I do not know good reason to waste time
implementing it ...
The challenge to get it to work of course ;)
But the problem is not at client side - it's server which has broken
legacy protocol. Therefore I, not you, should fix this. And plan to do
it quite soon.
Alex Peshkoff
2012-04-23 09:46:45 UTC
Permalink
Post by Mark Rotteveel
It looks like Jaybird uses an authentication mechanism that is no longer
Hex dump from wireshark for both Jaybird (fails) and Flamerobin
(succeeds) is attached. Most obvious thing I notice that Jaybird sends
the password in the clear and Flamerobin doesn't.
I did manage to connect using the native Jaybird (with a 2.5 client
library).
Looks like I've really killed that authentication method. Will fix.
Please check it now. Should work.
Mark Rotteveel
2012-04-25 07:48:08 UTC
Permalink
Post by Alex Peshkoff
Post by Mark Rotteveel
It looks like Jaybird uses an authentication mechanism that is no longer
Hex dump from wireshark for both Jaybird (fails) and Flamerobin
(succeeds) is attached. Most obvious thing I notice that Jaybird sends
the password in the clear and Flamerobin doesn't.
I did manage to connect using the native Jaybird (with a 2.5 client
library).
Looks like I've really killed that authentication method. Will fix.
Please check it now. Should work.
As far as I can see this change is not yet in the Windows snapshot build
(just looking at the ChangeLog).

Mark
--
Mark Rotteveel
Dmitry Yemanov
2012-04-25 18:18:56 UTC
Permalink
Post by Mark Rotteveel
As far as I can see this change is not yet in the Windows snapshot build
(just looking at the ChangeLog).
Windows snapshot builds were (and maybe still are) broken, so it may
take a day or so to recover them.


Dmitry
Mark Rotteveel
2012-04-28 09:57:24 UTC
Permalink
Post by Alex Peshkoff
Post by Mark Rotteveel
It looks like Jaybird uses an authentication mechanism that is no longer
Hex dump from wireshark for both Jaybird (fails) and Flamerobin
(succeeds) is attached. Most obvious thing I notice that Jaybird sends
the password in the clear and Flamerobin doesn't.
I did manage to connect using the native Jaybird (with a 2.5 client
library).
Looks like I've really killed that authentication method. Will fix.
Please check it now. Should work.
Tested it against Firebird-3.0.0.29945-0_x64 on Windows 7: plain text
authentication works again.

Mark
--
Mark Rotteveel
Claudio Valderrama C.
2012-04-19 08:59:01 UTC
Permalink
-----Original Message-----
Sent: Miércoles, 18 de Abril de 2012 23:58
Nice catch. As far as I see, we don't support authentication
with plain
(unhashed) passwords anymore. I don't remember whether it was
intended
or not, but it's surely a regression. I hope Alex will
comment with more
details later today.
Do we really need to keep it?

C.
Dmitry Yemanov
2012-04-19 08:05:25 UTC
Permalink
Post by Claudio Valderrama C.
Do we really need to keep it?
We surely don't want all the existing Jaybird installations to stop working.


Dmitry
Loading...