[
https://issues.apache.org/jira/browse/DERBY-5651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13230141#comment-13230141
]
Knut Anders Hatlen commented on DERBY-5651:
-------------------------------------------
> If I understand password substitution correctly, it can only be used when the
> server knows the cleartext password.
That's right. At least that's how it's supposed to be. Derby's implementation
of password substitution actually also works when it doesn't know the password,
as long as derby.authentication.builtin.algorithm is null, because it takes a
shortcut and effectively makes the stored hashed password the password. In
addition to the weakness of the hash algorithm used when that property is null,
this also makes it possible for authenticated users to call
syscs_get_database_property() to get the hashed passwords for other users, and
use a slightly modified client driver to trick the server into thinking it
knows the other users' passwords.
> Are you suggesting that we simply remove the substitution logic and raise a
> warning if securityMechanism=8 is specified?
Yes. I think this mechanism only provides a false sense of security.
> I think that the backward compatibility issues with that change would be
> minor and acceptable.
That's particularly true after we made derby.authentication.builtin.algorithm
default to a non-null value in 10.6 and later, so databases created with one of
these later releases wouldn't allow the use of securityMechanism=8 in the first
place. So only those with a clear-text user database, or those upgrading from
10.5 and earlier, should be affected.
> Protocol error when connecting to db with NATIVE authentication using strong
> password substitution
> --------------------------------------------------------------------------------------------------
>
> Key: DERBY-5651
> URL: https://issues.apache.org/jira/browse/DERBY-5651
> Project: Derby
> Issue Type: Bug
> Components: Network Server, Services
> Affects Versions: 10.9.0.0
> Reporter: Knut Anders Hatlen
>
> If you connect to a db with native authentication using strong password
> substitution to protect the password, you'll get a protocol error:
> ij(CONNECTION2)> connect
> 'jdbc:derby://localhost/db;user=app;password=papp;securityMechanism=8';
> ERROR 08006: A network protocol error was encountered and the connection has
> been terminated: A PROTOCOL Data Stream Syntax Error was detected. Reason:
> 0x18. Plaintext connection attempt to an SSL enabled server?
> I don't think strong password substitution is intended to work with NATIVE,
> but it should probably fail more gracefully. With BUILTIN, you'll get a more
> helpful error message:
> ij(CONNECTION5)> connect
> 'jdbc:derby://localhost/db2;user=app;password=papp;securityMechanism=8';
> ERROR 08004: DERBY SQL error: SQLCODE: -1, SQLSTATE: 08004, SQLERRMC:
> Connection authentication failure occurred. Either the supplied credentials
> were invalid, or the database uses a password encryption scheme not
> compatible with the strong password substitution security mechanism. If this
> error started after upgrade, refer to the release note for DERBY-4483 for
> options.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
