Re: [Firebird-devel] Connecting to Firebird 3
On 23-4-2012 11:46, Alex Peshkoff wrote: On 04/19/12 09:35, Александр Пешков wrote: It looks like Jaybird uses an authentication mechanism that is no longer supported with Firebird 3: Hex dump from wireshark for both Jaybird (fails) and Flamerobin (succeeds) is attached. Most obvious thing I notice that Jaybird sends the password in the clear and Flamerobin doesn't. I did manage to connect using the native Jaybird (with a 2.5 client library). Looks like I've really killed that authentication method. Will fix. Please check it now. Should work. Tested it against Firebird-3.0.0.29945-0_x64 on Windows 7: plain text authentication works again. Mark -- Mark Rotteveel -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On 23-4-2012 11:46, Alex Peshkoff wrote: On 04/19/12 09:35, Александр Пешков wrote: It looks like Jaybird uses an authentication mechanism that is no longer supported with Firebird 3: Hex dump from wireshark for both Jaybird (fails) and Flamerobin (succeeds) is attached. Most obvious thing I notice that Jaybird sends the password in the clear and Flamerobin doesn't. I did manage to connect using the native Jaybird (with a 2.5 client library). Looks like I've really killed that authentication method. Will fix. Please check it now. Should work. As far as I can see this change is not yet in the Windows snapshot build (just looking at the ChangeLog). Mark -- Mark Rotteveel -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On 04/19/12 22:48, Mark Rotteveel wrote: On 19-4-2012 10:17, Dmitry Yemanov wrote: 19.04.2012 12:02, Mark Rotteveel wrote: Ok, that sounds relatively easy. What is the hashing algorithm, and where in the Firebird sources can I find its implementation? Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/ (pre-FB3) or in /src/common/ (trunk). Is it standard DES, or a modification? Mark, I'm not absolutely sure what kind of DES is used, and telling true do not care too much. I think you should not worry about implementing ti in Java client - it anyway adds absolutely no security compared with sending clear password over the wire. And I will fix FB3 to accept it. It's much more useful to decide what to do with SRP. And (taking wider look at it) - will it be possible to load client parts of plugins by Java client? -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On Fri, 20 Apr 2012 10:40:29 +0400, Alex Peshkoff peshk...@mail.ru wrote: On 04/19/12 22:48, Mark Rotteveel wrote: On 19-4-2012 10:17, Dmitry Yemanov wrote: 19.04.2012 12:02, Mark Rotteveel wrote: Ok, that sounds relatively easy. What is the hashing algorithm, and where in the Firebird sources can I find its implementation? Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/ (pre-FB3) or in /src/common/ (trunk). Is it standard DES, or a modification? Mark, I'm not absolutely sure what kind of DES is used, and telling true do not care too much. I think you should not worry about implementing ti in Java client - it anyway adds absolutely no security compared with sending clear password over the wire. And I will fix FB3 to accept it. I had a look yesterday and I couldn't easily find out if it was standard DES; comparing some Java DES implementations I did find commonalities, but some of the operations (and optimizations?) and pointer magic done are hard to follow if you are not that well-versed in C. I also saw that most DES implementations do not use a salt, which makes it harder to follow. Other examples refer to the use of the DES implementation in the Java API (of which the source is not directly available; I will need to check the OpenJDK or BouncyCastle sources). I am going to think it over, not having to implement it is of course far easier. It's much more useful to decide what to do with SRP. And (taking wider look at it) - will it be possible to load client parts of plugins by Java client? Technically yes, but most Java developers usually do not want to bother with the hassle that is involved with using native libraries. So a pure java implementation will be needed. Mark -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
19.04.2012 11:22, Mark Rotteveel wrote: Thanks. I also created a ticket to see if it is easy to change Jaybird to use the hashed authentication for Jaybird 2.2, but I don't want to do major changes in the wire protocol for Jaybird 2.2 (I had that planned for 2.3). It has very little to do with the wire protocol. It's just a matter of using isc_dpb_password_enc instead of isc_dpb_password during connection time, and hashing the string manually. It will be compatible with all IB/FB versions existing out there. Dmitry -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On Thu, 19 Apr 2012 11:36:15 +0400, Dmitry Yemanov firebi...@yandex.ru wrote: 19.04.2012 11:22, Mark Rotteveel wrote: Thanks. I also created a ticket to see if it is easy to change Jaybird to use the hashed authentication for Jaybird 2.2, but I don't want to do major changes in the wire protocol for Jaybird 2.2 (I had that planned for 2.3). It has very little to do with the wire protocol. It's just a matter of using isc_dpb_password_enc instead of isc_dpb_password during connection time, and hashing the string manually. It will be compatible with all IB/FB versions existing out there. Ok, that sounds relatively easy. What is the hashing algorithm, and where in the Firebird sources can I find its implementation? Mark -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
19.04.2012 12:59, Claudio Valderrama C. wrote: Do we really need to keep it? We surely don't want all the existing Jaybird installations to stop working. Dmitry -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
19.04.2012 12:02, Mark Rotteveel wrote: Ok, that sounds relatively easy. What is the hashing algorithm, and where in the Firebird sources can I find its implementation? Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/ (pre-FB3) or in /src/common/ (trunk). Dmitry -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
Den 2012-04-19 10:17 skrev Dmitry Yemanov såhär: 19.04.2012 12:02, Mark Rotteveel wrote: Ok, that sounds relatively easy. What is the hashing algorithm, and where in the Firebird sources can I find its implementation? Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/ (pre-FB3) or in /src/common/ (trunk). Er... I am a real novice when it comes to security, but perhaps you in the dev team should read this, which has something to say about passord hashes based on DES (too fast): http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html I've also seen mention of Rfc2898, which seems to be a good option for password hashes. Kjell -- -- Kjell Rilbe DataDIA AB E-post: kj...@datadia.se Telefon: 08-761 06 55 Mobil: 0733-44 24 64 -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On Thu, 19 Apr 2012 10:23:16 +0200, Kjell Rilbe kjell.ri...@datadia.se wrote: Den 2012-04-19 10:17 skrev Dmitry Yemanov såhär: 19.04.2012 12:02, Mark Rotteveel wrote: Ok, that sounds relatively easy. What is the hashing algorithm, and where in the Firebird sources can I find its implementation? Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/ (pre-FB3) or in /src/common/ (trunk). Er... I am a real novice when it comes to security, but perhaps you in the dev team should read this, which has something to say about passord hashes based on DES (too fast): http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html I've also seen mention of Rfc2898, which seems to be a good option for password hashes. We are discussing the legacy password hash, that is being used by Firebird 2.5 and earlier (and if I understand Dmitry correctly: has been in use since before IB6). Firebird 3 will use SRP (http://www.ietf.org/rfc/rfc2945.txt ) for secure authentication. Mark -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On 19-4-2012 10:17, Dmitry Yemanov wrote: 19.04.2012 12:02, Mark Rotteveel wrote: Ok, that sounds relatively easy. What is the hashing algorithm, and where in the Firebird sources can I find its implementation? Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/ (pre-FB3) or in /src/common/ (trunk). Is it standard DES, or a modification? Mark -- Mark Rotteveel -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
18.04.2012 21:55, Mark Rotteveel wrote: I just installed Firebird 3 from the Windows x64 zip kit, but I am unable to authenticate using FlameRobin, or using Jaybird. What fbclient version is loaded by FlameRobin? In the conf file I have uncommented: AuthClient = Srp, Win_Sspi, Legacy_Auth Try this: AuthClient = Legacy_Auth, Win_Sspi, Srp Dmitry -- Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On 18-4-2012 20:20, Dmitry Yemanov wrote: 18.04.2012 21:55, Mark Rotteveel wrote: I just installed Firebird 3 from the Windows x64 zip kit, but I am unable to authenticate using FlameRobin, or using Jaybird. What fbclient version is loaded by FlameRobin? In the conf file I have uncommented: AuthClient = Srp, Win_Sspi, Legacy_Auth Try this: AuthClient = Legacy_Auth, Win_Sspi, Srp Tried that, didn't work. BTW: I also tried a suggestion in a post from 31-01-2011 (by Alex): Understood. This is problem in windows packaging. To make it work right now please add to the firebird root dir file plugins.conf with the following 3 lines: Plugin = Legacy_Auth { Module = $(root)/plugins/user_management } Doing this just makes the Firebird service and instsvc hang on startup. -- Mark Rotteveel -- Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On 18-4-2012 20:30, Vlad Khorsun wrote: In the conf file I have uncommented: AuthClient = Srp, Win_Sspi, Legacy_Auth This is client setting. Am I missing an additional step to get things working with legacy authentication? Add Legacy_Auth to the AuthServer setting Thanks, I had overlooked that setting, I thought both lines started with AuthClient and had wondered why it was shown twice :| Mark -- Mark Rotteveel -- Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On 18-4-2012 20:39, Mark Rotteveel wrote: On 18-4-2012 20:30, Vlad Khorsun wrote: In the conf file I have uncommented: AuthClient = Srp, Win_Sspi, Legacy_Auth This is client setting. Am I missing an additional step to get things working with legacy authentication? Add Legacy_Auth to the AuthServer setting Thanks, I had overlooked that setting, I thought both lines started with AuthClient and had wondered why it was shown twice :| Actually: I celebrated to soon. This solves the problem for FlameRobin, but not for Jaybird. Mark -- Mark Rotteveel -- Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
On 18-4-2012 20:41, Mark Rotteveel wrote: On 18-4-2012 20:39, Mark Rotteveel wrote: On 18-4-2012 20:30, Vlad Khorsun wrote: In the conf file I have uncommented: AuthClient = Srp, Win_Sspi, Legacy_Auth This is client setting. Am I missing an additional step to get things working with legacy authentication? Add Legacy_Auth to the AuthServer setting Thanks, I had overlooked that setting, I thought both lines started with AuthClient and had wondered why it was shown twice :| Actually: I celebrated to soon. This solves the problem for FlameRobin, but not for Jaybird. It looks like Jaybird uses an authentication mechanism that is no longer supported with Firebird 3: Hex dump from wireshark for both Jaybird (fails) and Flamerobin (succeeds) is attached. Most obvious thing I notice that Jaybird sends the password in the clear and Flamerobin doesn't. I did manage to connect using the native Jaybird (with a 2.5 client library). Mark -- Mark Rotteveel Jaybird Connect 00 1e 33 0d 06 67 54 04 a6 4a bd 3f 08 00 45 00 ..3..gT. .J.?..E. 0010 00 7c 18 46 40 00 80 06 5e e0 c0 a8 01 02 c0 a8 .|.F@... ^... 0020 01 03 06 54 0b eb 76 be d8 57 f3 a9 60 0e 50 18 ...T..v. .W..`.P. 0030 40 29 d8 7b 00 00 00 00 00 01 00 00 00 13 00 00 @).{ 0040 00 02 00 00 00 01 00 00 00 12 44 3a 5c 74 65 6d ..D:\tem 0050 70 09 65 73 74 66 62 33 2e 66 64 62 20 20 00 00 p.estfb3 .fdb .. 0060 00 01 00 00 00 10 01 04 4d 61 72 6b 04 06 52 61 Mark..Ra 0070 6d 6f 6e 61 06 00 00 00 00 0a 00 00 00 01 00 00 mona 0080 00 02 00 00 00 03 00 00 00 02 .. Accept 54 04 a6 4a bd 3f 00 1e 33 0d 06 67 08 00 45 00 T..J.?.. 3..g..E. 0010 00 38 24 84 40 00 80 06 52 e6 c0 a8 01 03 c0 a8 .8$.@... R... 0020 01 02 0b eb 06 54 f3 a9 60 0e 76 be d8 ab 50 18 .T.. `.v...P. 0030 01 00 75 f4 00 00 00 00 00 03 00 00 00 0a 00 00 ..u. 0040 00 01 00 00 00 03 .. Attach 00 1e 33 0d 06 67 54 04 a6 4a bd 3f 08 00 45 00 ..3..gT. .J.?..E. 0010 00 60 18 47 40 00 80 06 5e fb c0 a8 01 02 c0 a8 .`.G@... ^... 0020 01 03 06 54 0b eb 76 be d8 ab f3 a9 60 1e 50 18 ...T..v. `.P. 0030 40 25 d3 a6 00 00 00 00 00 13 00 00 00 00 00 00 @%.. 0040 00 12 44 3a 5c 74 65 6d 70 09 65 73 74 66 62 33 ..D:\tem p.estfb3 0050 2e 66 64 62 20 20 00 00 00 14 01 1c 06 73 79 73 .fdb .. .sys 0060 64 62 61 1d 09 6d 61 73 74 65 72 6b 65 79 dba..mas terkey Response 54 04 a6 4a bd 3f 00 1e 33 0d 06 67 08 00 45 00 T..J.?.. 3..g..E. 0010 00 48 24 85 40 00 80 06 52 d5 c0 a8 01 03 c0 a8 .H$.@... R... 0020 01 02 0b eb 06 54 f3 a9 60 1e 76 be d8 e3 50 18 .T.. `.v...P. 0030 01 00 61 0b 00 00 00 00 00 09 00 00 00 00 00 00 ..a. 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 14 00 0050 00 98 00 00 00 00 .. Flamerobin Connect 00 1e 33 0d 06 67 54 04 a6 4a bd 3f 08 00 45 00 ..3..gT. .J.?..E. 0010 00 b8 18 55 40 00 80 06 5e 95 c0 a8 01 02 c0 a8 ...U@... ^... 0020 01 03 06 56 0b eb 38 e9 2a 1b 8d 99 65 1a 50 18 ...V..8. *...e.P. 0030 40 29 ca 10 00 00 00 00 00 01 00 00 00 13 00 00 @).. 0040 00 02 00 00 00 28 00 00 00 13 44 3a 5c 54 65 6d .(.. ..D:\Tem 0050 70 5c 74 65 73 74 66 62 33 2e 66 64 62 00 00 00 p\testfb 3.fdb... 0060 00 04 00 00 00 10 01 04 4d 41 52 4b 04 06 72 61 MARK..ra 0070 6d 6f 6e 61 06 00 00 00 00 08 00 00 00 01 00 00 mona 0080 00 02 00 00 00 05 00 00 00 02 00 00 00 0a 00 00 0090 00 01 00 00 00 02 00 00 00 05 00 00 00 04 ff ff 00a0 80 0b 00 00 00 01 00 00 00 02 00 00 00 05 00 00 00b0 00 06 ff ff 80 0c 00 00 00 01 00 00 00 02 00 00 00c0 00 05 00 00 00 08 .. Accept 54 04 a6 4a bd 3f 00 1e 33 0d 06 67 08 00 45 00 T..J.?.. 3..g..E. 0010 00 38 24 8d 40 00 80 06 52 dd c0 a8 01 03 c0 a8 .8$.@... R... 0020 01 02 0b eb 06 56 8d 99 65 1a 38 e9 2a ab 50 18 .V.. e.8.*.P. 0030 01 00 42 c8 00 00 00 00 00 03 ff ff 80 0c 00 00 ..B. 0040 00 01 00 00 00 05 .. Attach 00 1e 33 0d 06 67 54 04 a6 4a bd 3f 08 00 45 00 ..3..gT. .J.?..E. 0010 00 ac 18 56 40 00 80 06 5e a0 c0 a8 01 02 c0 a8 ...V@... ^... 0020 01 03 06 56 0b eb 38 e9 2a ab 8d 99 65 2a 50 18 ...V..8. *...e*P. 0030 40 25 f1 d0 00 00 00 00 00 13 00 00 00 00 00 00 @%.. 0040 00 13 44 3a 5c 54 65 6d 70 5c 74 65 73 74 66 62 ..D:\Tem p\testfb 0050 33 2e 66 64 62 00 00 00 00 5e 01 1e 0b 51 50 33 3.fdb... .^...QP3 0060 4c 4d 5a 2f 4d 4a 68 2e 4a 30 43 3a 5c 50 72 6f LMZ/MJh. J0C:\Pro 0070 67 72 61 6d 20 46
Re: [Firebird-devel] Connecting to Firebird 3
19.04.2012 0:07, Mark Rotteveel wrote: It looks like Jaybird uses an authentication mechanism that is no longer supported with Firebird 3: Hex dump from wireshark for both Jaybird (fails) and Flamerobin (succeeds) is attached. Most obvious thing I notice that Jaybird sends the password in the clear and Flamerobin doesn't. Nice catch. As far as I see, we don't support authentication with plain (unhashed) passwords anymore. I don't remember whether it was intended or not, but it's surely a regression. I hope Alex will comment with more details later today. Dmitry -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Connecting to Firebird 3
It looks like Jaybird uses an authentication mechanism that is no longer supported with Firebird 3: Hex dump from wireshark for both Jaybird (fails) and Flamerobin (succeeds) is attached. Most obvious thing I notice that Jaybird sends the password in the clear and Flamerobin doesn't. I did manage to connect using the native Jaybird (with a 2.5 client library). Looks like I've really killed that authentication method. Will fix. -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel