Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Mark Rotteveel]

On Thu, 05 Nov 2015 12:29:12 +0100, Paul Reeves 
wrote:
>> Parameter UserManager in it sets plugin used to work with security
>> database.
>> If more than one plugin is given, first plugin from the list is used by
>> default when changing user and all that plugins are used to list users
in
>> sec$users pseudo table.
> 
> This is something that I haven't fully understood in the Release Notes.
If
> I 
> understand correctly the first plugin is the only one used for
> authentication. 
> I originally thought that the server would go through the list one by
one 
> until it found a plugin that worked. 

No, for authentication, the entire (authentication) plugin list is used,
but for user management, only the first (user manager) plugin in the list
is used.

Mark

--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Alex Peshkoff]

On 11/05/2015 02:29 PM, Paul Reeves wrote:
> On Thursday 05 Nov 2015 13:49:26 Alex Peshkoff wrote:
>> On 11/04/2015 11:45 AM, Paul Reeves wrote:
>>> So the question is this - can the authentication method be switched
>>> between
>>> srp and legacy without modifiying security3.fdb?
>> Paul, switching authentication method does not require modification of
>> security3.fdb - only firebird.conf.
> That is good to know. Although as I mentioned in my reply to Mark yesterday, I
> think it will be best if the installer doesn't get involved with this if it
> detects an existing security3.fdb.

Yes - definitely.
Moreover all management plugins are supposed to be designed to 
create/upgrade required for them data structures themselves.

>> Parameter UserManager in it sets plugin used to work with security database.
>> If more than one plugin is given, first plugin from the list is used by
>> default when changing user and all that plugins are used to list users in
>> sec$users pseudo table.
> This is something that I haven't fully understood in the Release Notes. If I
> understand correctly the first plugin is the only one used for authentication.

If you do not use plugin control clause - yes.

> I originally thought that the server would go through the list one by one
> until it found a plugin that worked.

That's how authentication and providers work, but for management such 
mode is not good.
Imagine that one can issue identical but with different password command 
CREATE USER twice, adding users with different passwords in different 
plugins. I do not think it's good idea.

>
> The only time the list is used is when querying the sec$users table.
>
> I think this distinction needs to be made clearer.
>
>> Using SQL to manage users you may choose non-default plugin from the
>> list of available with "USING PLUGIN name" clause in create/alter/drop
>> user statement.
>
> Yes, I know this is in the release notes, but I haven't yet started to do
> anything at that level. I've just been working on getting the security
> database correctly initialised for SRP and legacy auth. But if I understand
> correctly if we have this setting for UserManager:
>
>UserManager = srp, legacy_auth
>
> we can then use this to add SYSDBA for legacy_auth:
>
>
>isql>  create user SYSDBA password 'SomethingCryptic'
>  using plugin legacy_auth;
>
>
> instead of the old method of calling gsec.

Yes, this should work.
Except one detail - I've tried to keep legacy auth as 'old-style' as 
possible, and SYSDBA for it is pre-created in security database. With 
old password 'masterke'. I.e. you will not be able to create user sysdba 
second time. But with SQL you may use CREATE OR ALTER which will work 
like for any other DDL.


--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Paul Reeves]

On Thursday 05 Nov 2015 13:49:26 Alex Peshkoff wrote:
> On 11/04/2015 11:45 AM, Paul Reeves wrote:
> > So the question is this - can the authentication method be switched
> > between
> > srp and legacy without modifiying security3.fdb?
> 
> Paul, switching authentication method does not require modification of
> security3.fdb - only firebird.conf. 

That is good to know. Although as I mentioned in my reply to Mark yesterday, I 
think it will be best if the installer doesn't get involved with this if it 
detects an existing security3.fdb.

> Parameter UserManager in it sets plugin used to work with security database.
> If more than one plugin is given, first plugin from the list is used by
> default when changing user and all that plugins are used to list users in
> sec$users pseudo table.

This is something that I haven't fully understood in the Release Notes. If I 
understand correctly the first plugin is the only one used for authentication. 
I originally thought that the server would go through the list one by one 
until it found a plugin that worked. 

The only time the list is used is when querying the sec$users table.

I think this distinction needs to be made clearer.

> Using SQL to manage users you may choose non-default plugin from the
> list of available with "USING PLUGIN name" clause in create/alter/drop
> user statement.


Yes, I know this is in the release notes, but I haven't yet started to do 
anything at that level. I've just been working on getting the security 
database correctly initialised for SRP and legacy auth. But if I understand 
correctly if we have this setting for UserManager:

  UserManager = srp, legacy_auth

we can then use this to add SYSDBA for legacy_auth:


  isql>  create user SYSDBA password 'SomethingCryptic' 
using plugin legacy_auth;


instead of the old method of calling gsec. (Which is how the installer is 
currently set up for RC1).



Paul

-- 
Paul Reeves
http://www.ibphoenix.com
Supporting users of Firebird

--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Alex Peshkoff]

On 11/04/2015 11:45 AM, Paul Reeves wrote:

> So the question is this - can the authentication method be switched between
> srp and legacy without modifiying security3.fdb?
>

Paul, switching authentication method does not require modification of 
security3.fdb - only firebird.conf. Parameter UserManager in it sets 
plugin used to work with security database. If more than one plugin is 
given, first plugin from the list is used by default when changing user 
and all that plugins are used to list users in sec$users pseudo table. 
Using SQL to manage users you may choose non-default plugin from the 
list of available with "USING PLUGIN name" clause in create/alter/drop 
user statement.


--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Mark Rotteveel]

On Thu, 5 Nov 2015 16:07:05 +0300, Alex Peshkoff  wrote:
> That's how authentication and providers work, but for management such 
> mode is not good.
> Imagine that one can issue identical but with different password command

> CREATE USER twice, adding users with different passwords in different 
> plugins. I do not think it's good idea.

...

> Yes, this should work.
> Except one detail - I've tried to keep legacy auth as 'old-style' as 
> possible, and SYSDBA for it is pre-created in security database. With 
> old password 'masterke'. I.e. you will not be able to create user sysdba

> second time. But with SQL you may use CREATE OR ALTER which will work 
> like for any other DDL.

I have both a Srp and legacy_auth sysdba, so it is possible to create two
users with the same name. Could you clarify what you mean? Or is sysdba an
exception to this?

Mark

--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Alex Peshkoff]

On 11/05/2015 07:20 PM, Mark Rotteveel wrote:
> On Thu, 5 Nov 2015 16:07:05 +0300, Alex Peshkoff  wrote:
>> That's how authentication and providers work, but for management such
>> mode is not good.
>> Imagine that one can issue identical but with different password command
>> CREATE USER twice, adding users with different passwords in different
>> plugins. I do not think it's good idea.
> ...
>
>> Yes, this should work.
>> Except one detail - I've tried to keep legacy auth as 'old-style' as
>> possible, and SYSDBA for it is pre-created in security database. With
>> old password 'masterke'. I.e. you will not be able to create user sysdba
>> second time. But with SQL you may use CREATE OR ALTER which will work
>> like for any other DDL.
> I have both a Srp and legacy_auth sysdba, so it is possible to create two
> users with the same name. Could you clarify what you mean? Or is sysdba an
> exception to this?

You have removed the sample, but exactly looking at it is important for 
an answer.

create user SYSDBA password 'SomethingCryptic'
 using plugin legacy_auth;

In legacy table of users (plg$users) there is already user sysdba, and 
therefore this command will fail. Approximately this way:

# ./isql employee
Database: employee, User: SYSDBA
SQL> create user SYSDBA password 'SomethingCryptic' using plugin 
Legacy_UserManager;
Statement failed, SQLSTATE = 23000
add record error
-violation of PRIMARY or UNIQUE KEY constraint "INTEG_2" on table 
"PLG$USERS"
-Problematic key value is ("PLG$USER_NAME" = 'SYSDBA')
SQL>

For any other user - please, it works.
Or something like this may be done:

SQL> create or alter user SYSDBA password 'SomethingCryptic' using 
plugin Legacy_UserManager;
SQL>



--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Alex Peshkoff]

On 11/05/2015 04:55 PM, Paul Vinkenoog wrote:
> Alex Peshkoff:
>
>> Except one detail - I've tried to keep legacy auth as 'old-style' as
>> possible, and SYSDBA for it is pre-created in security database. With
>> old password 'masterke'.
> On a side note:
>
> How about generating a random password for legacy SYSDBA on Windows and
> save that in a file, like we do on Posix? It won't hurt anybody, even if
> they expect the old 'masterke', as long as the installer informs them.

I see nothing bad with this.
On the other hand I do not see big use in it - legacy authentication is 
anyway very unsafe :(


--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Mark Rotteveel]

On Wed, 04 Nov 2015 09:45:27 +0100, Paul Reeves 
wrote:
> I think I've nailed down the basic installation requirements for
> configuration 
> of the FB3 security database under windows. On first install the user
can 
> choose between the new and the legacy authentication methods, SYSDBA is
> added 
> correctly and firebird.conf is updated correctly. So far, so good.
> 
> What I haven't got a grip on is how to deal with re-installation or 
> modification. What happens if the user changes authentication? 
> 
> The uninstaller never uninstalls the security database and firebird.conf

> unless the /CLEAN parameter is used. And the installer will leave an
> existing 
> security db and fb.conf intact and deploy the defaults with a suitable
> file 
> suffix so that users can distinguish between 'their' files and the
> defaults 
> that are deployed with firebird.
> 
> So the question is this - can the authentication method be switched
> between 
> srp and legacy without modifiying security3.fdb?

You can have two sysdba accounts in security3.fdb, one for Srp and one for
legacy_auth. You need to add the user with the right user manager plugin,
and then both work.

Mark

--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] FB3 and authentication and security3.fdb

[Paul Reeves]

On Wednesday 04 Nov 2015 16:25:22 Mark Rotteveel wrote:
> On Wed, 04 Nov 2015 09:45:27 +0100, Paul Reeves 

> > So the question is this - can the authentication method be switched
> > between
> > srp and legacy without modifiying security3.fdb?
> 
> You can have two sysdba accounts in security3.fdb, one for Srp and one for
> legacy_auth. 

Thanks, Mark, that's useful to know. And now that you mention it, I recall 
seeing something about this in the release notes.

Frankly, the idea of having two SYSDBAs with possibly different passwords for 
different authentication methods rather boggles my mind. :-) I think it is 
certainly too complicated for a click through install. 

> You need to add the user with the right user manager plugin,
> and then both work.
 
Hmmm - I think that is where I have been having some trouble. I suspect that 
order of plugins in firebird.conf might be important here. 

.

In the end, I decided that this is no business of the (re)installer. At least 
for RC1. Maybe when things settle down a bit we can review this.

A fresh install will offer the user the chance to create a sysdba username and 
password, or keep the defaults. And they can choose whether to use legacy 
authentication or srp. 

Uninstall will leave firebird.conf and security3.fdb in place. (As before.)

A re-install will detect these and leave the security config untouched. 
Likewise no opportunity will be presented to create/change the sysdba user/pw 
at re-install time. Firebird.conf.default and security3.fdb.empty will be 
deployed for users that want to do a manual configuration later. 

Uninstall /clean will forcibly remove things like firebird.conf and 
security3.fdb if the user wants to start with a clean slate and use the 
installer to reconfigure the security db for them. (Or they can just do a 
fresh install into a new directory.)

The net result of all this is an installation that works with either srp or 
with legacy auth but not both. 

This seems to me to be the simplest and most idiot proof solution.


Paul
-- 
Paul Reeves
http://www.ibphoenix.com
Supporting users of Firebird

--
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel