On 6-3-2019 16:18, Paul Reeves wrote:
On Wed, 6 Mar 2019 14:33:49 +0100
Mark Rotteveel <m...@lawinegevaar.nl> wrote:
Srp is not a legacy authentication, it is just slightly less secure
than Srp256
I'm wondering then if I understand the difference between AuthServer and
AuthClient. My understanding is that AuthServer specifies the plugins
the server will use to authorize client attachments. AuthClient
specifies the plugins the client will use to make the initial connect
to the server.
Not exactly, the AuthClient in the firebird.conf of the **server** will
only control the behavior of the server when it acts as a client (eg
execute statement on external data source), and for tools using the
client library in the Firebird install folder.
But for example if an application uses the firebird client installed
with instclient, then it will use the default setting, unless a specific
firebird.conf was placed in the same location as the fbclient.dll (in
C:\Windows\System32).
So if we have the current default of
AuthServer = Srp256
then surely an FB3 client that uses Srp will be rejected?
Not if they use a Firebird 3.0.4 client with default settings, because
Srp256 was added in 3.0.4 as well.
If my understanding is correct srp is a form of legacy authorization,
even if it does not use the legacy_auth plugin.
No, it is not legacy, it is just less secure (it uses SHA-1). We also
don't enable the Srp224 (Srp with SHA-224), Srp384 (Srp with SHA-384)
and Srp512 (Srp with SHA-512) by default because doing so could be
considered overkill, while using Srp256 should be a sufficiently secure
default.
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
