[Firebird-devel] [FB-Tracker] Created: (CORE-5225) Authentication end with first plugin that has the user but auth fails; should continue with next plugin

Sun, 01 May 2016 03:03:52 -0700 

Authentication end with first plugin that has the user but auth fails; should 
continue with next plugin
-------------------------------------------------------------------------------------------------------

                 Key: CORE-5225
                 URL: http://tracker.firebirdsql.org/browse/CORE-5225
             Project: Firebird Core
          Issue Type: Bug
          Components: API / Client Library, Engine, Security
    Affects Versions: 3.0.0
            Reporter: Mark Rotteveel


Currently when a user exists for multiple authentication plugins, 
authentication ends with the first plugin that has the user when authentication 
fails. Instead it should continue with the next plugin.

A user is identified by username and password, if a one of the values is wrong 
then the user should be considered to not exist. Ending authentication early 
will leak existence of the user for that plugin, from a security standpoint 
such a leak of information is not acceptable.

The behavior is also confusing, because some valid usernames + passwords will 
allow authentication (eg a user that only exists in Legacy_Auth, or only in 
Srp), while other valid usernames + password will unexpectedly be rejected. 
This will make it look like you are using the wrong username or password. When 
a user exists in Srp and Legacy_Auth and you use the Legacy_Auth, the password 
will be rejected by the Srp plugin ending authentication.

This is especially relevant during transition from Firebird 2.5 compatible apps 
+ drivers, but even if we live in a Firebird 3 only world, it would still be 
necessary (consider third party authentication plugins that support an 
alternative mode of authentication).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to