Re: [Firebird-devel] windows installer and authentication

On 07/15/2015 11:34 AM, Mark Rotteveel wrote: > As far as I recall we had this discussion last year (or two years ago). I > believe we settled on having legacy authentication enabled by default for > sake of ease of transition, especially as most connection libraries that do > not use fbclient.dll

Re: [Firebird-devel] windows installer and authentication

On Mon, 13 Jul 2015 17:44:09 +0300, Alex Peshkoff wrote: > On 07/13/2015 04:07 PM, Paul Reeves wrote: >> On Monday 13 July 2015 13:33:48 Alex Peshkoff wrote: >>> Windows installer still suggests as a default to provide legacy >>> authentication. For how long do we keep insecure choice as a default

Re: [Firebird-devel] windows installer and authentication

On Tuesday 14 July 2015 19:00:59 Dmitry Yemanov wrote: > 13.07.2015 16:07, Paul Reeves wrote: > > Obviously I am missing something huge here - if we don't provide legacy > > authentication how and where do we create sysdba? > > The same way (gsec?) and the same location (security3.fdb). Just use th

Re: [Firebird-devel] windows installer and authentication

13.07.2015 16:07, Paul Reeves wrote: > Obviously I am missing something huge here - if we don't provide legacy > authentication how and where do we create sysdba? The same way (gsec?) and the same location (security3.fdb). Just use the Srp plugin instead of LegacyAuth. Dmitry ---

Re: [Firebird-devel] windows installer and authentication

On 07/13/2015 06:41 PM, Dmitry Yemanov wrote: > 13.07.2015 18:24, swobje...@outlook.com wrote: >> A potential attacker needs typically two elements breaking a password >> auth mechanism. >> In this case, the user with the highest granted permissions to corrupt >> and/or destory anything is kwown to

Re: [Firebird-devel] windows installer and authentication

13.07.2015 18:24, swobje...@outlook.com wrote: > > A potential attacker needs typically two elements breaking a password > auth mechanism. > In this case, the user with the highest granted permissions to corrupt > and/or destory anything is kwown to the attacker. The fact that SYSDBA exists inside

Re: [Firebird-devel] windows installer and authentication

13.07.2015 17:24, swobje...@outlook.com wrote: > In this case, the user with the highest granted permissions to corrupt > and/or destory anything is kwown to the attacker. Fortunately, the attacker doesn't know if this user exists at all. Those who care about security, can skip its creation o

Re: [Firebird-devel] windows installer and authentication

Hi Alex Am 13.07.2015 um 16:06 schrieb Alex Peshkoff: > On 07/13/2015 04:56 PM, swobje...@outlook.com wrote: >> Hmm, is there a reason why the dba account name is hardcoded in the >> firebird.exe >> >> .rdata:0047A62C aSysdba db 'SYSDBA',0 ; DATA XREF: >> sub_406F70+1C3o >> leng

Re: [Firebird-devel] windows installer and authentication

On 07/13/2015 04:07 PM, Paul Reeves wrote: > On Monday 13 July 2015 13:33:48 Alex Peshkoff wrote: >> Windows installer still suggests as a default to provide legacy >> authentication. For how long do we keep insecure choice as a default? > That is a very good question. > > In my opinion it should b

Re: [Firebird-devel] windows installer and authentication

On 07/13/2015 04:56 PM, swobje...@outlook.com wrote: > Hmm, is there a reason why the dba account name is hardcoded in the > firebird.exe > > .rdata:0047A62C aSysdba db 'SYSDBA',0 ; DATA XREF: > sub_406F70+1C3o > length: 7, type: c, string: SYSDBA > > \Firebird-3.0.0.31896-0_Win3

Re: [Firebird-devel] windows installer and authentication

Hmm, is there a reason why the dba account name is hardcoded in the firebird.exe .rdata:0047A62C aSysdba db 'SYSDBA',0 ; DATA XREF: sub_406F70+1C3o length: 7, type: c, string: SYSDBA \Firebird-3.0.0.31896-0_Win32_Beta2\firebird.exe Am 13.07.2015 um 15:07 schrieb Paul Reeves

Re: [Firebird-devel] windows installer and authentication

On Monday 13 July 2015 13:33:48 Alex Peshkoff wrote: > > Windows installer still suggests as a default to provide legacy > authentication. For how long do we keep insecure choice as a default? That is a very good question. In my opinion it should be the default for v3.0, and clearly marked as d

[Firebird-devel] windows installer and authentication

Yesterday I've got a private bug report that windows installer does not create sysdba user. I did not believe it, but decided to test beta2 - and was very much surprised. Windows installer still suggests as a default to provide legacy authentication. For how long do we keep insecure choice as a