On 4-3-2017 22:52, Vlad Khorsun wrote: > 04.03.2017 18:36, Mark Rotteveel wrote: >> I have some problems with using legacy authentication with Firebird 4: >> >> * Using the default existing legacy sysdba/masterke works >> * Creating a new user with the Legacy_UserManager (create user ... >> password '...' using plugin Legacy_UserManager) or with gsec >> (Legacy_UserManager is the first in the list), and trying to login leads >> to an authentication failure >> * Using gsec to alter the password of the legacy sysdba and then trying >> to login leads to an authentication failure (even if I changed to >> masterke or masterkey) > > >> The above seems to suggest that the Legacy_UserManager is broken when >> hashing passwords. Is that a known issue? > > Issue seems new for (at least to me). The reason is that hash of encrypted > passwords is stored with trailing zero's now (guess it was due to recently > introduced support of BINARY chars). See below: > > > fb40\temp\x64\debug\firebird>isql SECURITY4.FDB -user sysdba > Database: SECURITY4.FDB, User: SYSDBA > SQL> set list; > SQL> show table plg$users; > PLG$USER_NAME (SEC$USER_NAME) VARCHAR(63) Not Null > PLG$GROUP_NAME (SEC$USER_NAME) VARCHAR(63) Nullable > PLG$UID (PLG$ID) INTEGER Nullable > PLG$GID (PLG$ID) INTEGER Nullable > PLG$PASSWD (PLG$PASSWD) VARBINARY(64) Not Null > PLG$COMMENT (RDB$DESCRIPTION) BLOB segment 80, subtype > TEXT CHARACTER SET UTF8 Nullable > PLG$FIRST_NAME (SEC$NAME_PART) VARCHAR(32) Nullable > PLG$MIDDLE_NAME (SEC$NAME_PART) VARCHAR(32) Nullable > PLG$LAST_NAME (SEC$NAME_PART) VARCHAR(32) Nullable > CONSTRAINT INTEG_2: > Primary key (PLG$USER_NAME) > SQL> > > Note, PLG$PASSWD have type VARBINARY. > > SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from > plg$users; > > PLG$USER_NAME SYSDBA > PLG$PASSWD > 4E4C74776373394C72784C4D4F5968473075474D3969364B53376D66 > 3351414B764656706D52673D > OCTET_LENGTH 40 > > PLG$USER_NAME VLAD > PLG$PASSWD > 5344516E344D62486F466265444C52523246507066304E556E48304D > 736B4352764F644A32446F3D000000000000000000000000000000000000000000000000 > OCTET_LENGTH 64 > > You see the difference. It also explains, why SYSDBA account works. > > Look at fb3: > > F:\FB2\fb30\temp\x64\debug\firebird>isql SECURITY3.FDB -user sysdba > Database: SECURITY3.FDB, User: SYSDBA > SQL> set list; > SQL> show table plg$users; > PLG$USER_NAME (SEC$USER_NAME) VARCHAR(31) CHARACTER SET > UNICODE_FSS Not Null > PLG$GROUP_NAME (SEC$USER_NAME) VARCHAR(31) CHARACTER SET > UNICODE_FSS Nullable > PLG$UID (PLG$ID) INTEGER Nullable > PLG$GID (PLG$ID) INTEGER Nullable > PLG$PASSWD (PLG$PASSWD) VARCHAR(64) CHARACTER SET OCTETS > Not Null > PLG$COMMENT (RDB$DESCRIPTION) BLOB segment 80, subtype > TEXT CHARACTER SET UNICODE_FSS Nullable > PLG$FIRST_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET > UNICODE_FSS Nullable > PLG$MIDDLE_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET > UNICODE_FSS Nullable > PLG$LAST_NAME (SEC$NAME_PART) VARCHAR(32) CHARACTER SET > UNICODE_FSS Nullable > CONSTRAINT INTEG_2: > Primary key (PLG$USER_NAME) > > PLG$PASSWD is VARCHAR(64) CHARACTER SET OCTETS here, and > > SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from > plg$users; > > PLG$USER_NAME SYSDBA > PLG$PASSWD > 4E4C74776373394C72784C4D4F5968473075474D3969364B53376D663351414B764656706D52673D > OCTET_LENGTH 40 > > PLG$USER_NAME VLAD > PLG$PASSWD > 6C4C493241657136692F6A53524547572B6D5A36444D7A5231384663546758547467684D534D343D > OCTET_LENGTH 40 > > there is no trailing zero's. > > > I'll commit a fix to ignore that trailing zero's when hashes is compared.
Thanks, do you want me to create a ticket? >> Also curious: initializing the security database for Srp adds two Srp >> SYSDBA accounts (but it might always have done that). > > I think you mixed two SYSDBA accounts created by different plugins. > See below (security4.fdb just copied from gen\dbs\security.fdb) : I have done some more digging. I can reproduce it with gsec if I use: add sysdba -pw masterkey -admin yes not if I use add sysdba -pw masterkey Similar if I use in ISQL: create user sysdba password 'masterkey' grant admin role; not if I use create user sysdba password 'masterkey'; Mark -- Mark Rotteveel ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
