Legacy usermanager broken in Firebird 4?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Legacy usermanager broken in Firebird 4?

Mark Rotteveel-2
I have some problems with using legacy authentication with Firebird 4:

* Using the default existing legacy sysdba/masterke works
* Creating a new user with the Legacy_UserManager (create user ...
password '...' using plugin Legacy_UserManager) or with gsec
(Legacy_UserManager is the first in the list), and trying to login leads
to an authentication failure
* Using gsec to alter the password of the legacy sysdba and then trying
to login leads to an authentication failure (even if I changed to
masterke or masterkey)

The above seems to suggest that the Legacy_UserManager is broken when
hashing passwords. Is that a known issue?

Also curious: initializing the security database for Srp adds two Srp
SYSDBA accounts (but it might always have done that).
--
Mark Rotteveel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Reply | Threaded
Open this post in threaded view
|

Re: Legacy usermanager broken in Firebird 4?

Vlad Khorsun-2
04.03.2017 18:36, Mark Rotteveel wrote:

> I have some problems with using legacy authentication with Firebird 4:
>
> * Using the default existing legacy sysdba/masterke works
> * Creating a new user with the Legacy_UserManager (create user ...
> password '...' using plugin Legacy_UserManager) or with gsec
> (Legacy_UserManager is the first in the list), and trying to login leads
> to an authentication failure
> * Using gsec to alter the password of the legacy sysdba and then trying
> to login leads to an authentication failure (even if I changed to
> masterke or masterkey)
 >
> The above seems to suggest that the Legacy_UserManager is broken when
> hashing passwords. Is that a known issue?

   Issue seems new for (at least to me). The reason is that hash of encrypted
passwords is stored with trailing zero's now (guess it was due to recently
introduced support of BINARY chars). See below:


fb40\temp\x64\debug\firebird>isql SECURITY4.FDB -user sysdba
Database: SECURITY4.FDB, User: SYSDBA
SQL> set list;
SQL> show table plg$users;
PLG$USER_NAME                   (SEC$USER_NAME) VARCHAR(63) Not Null
PLG$GROUP_NAME                  (SEC$USER_NAME) VARCHAR(63) Nullable
PLG$UID                         (PLG$ID) INTEGER Nullable
PLG$GID                         (PLG$ID) INTEGER Nullable
PLG$PASSWD                      (PLG$PASSWD) VARBINARY(64) Not Null
PLG$COMMENT                     (RDB$DESCRIPTION) BLOB segment 80, subtype TEXT CHARACTER SET UTF8 Nullable
PLG$FIRST_NAME                  (SEC$NAME_PART) VARCHAR(32) Nullable
PLG$MIDDLE_NAME                 (SEC$NAME_PART) VARCHAR(32) Nullable
PLG$LAST_NAME                   (SEC$NAME_PART) VARCHAR(32) Nullable
CONSTRAINT INTEG_2:
   Primary key (PLG$USER_NAME)
SQL>

Note, PLG$PASSWD have type VARBINARY.

SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from plg$users;

PLG$USER_NAME                   SYSDBA
PLG$PASSWD                      4E4C74776373394C72784C4D4F5968473075474D3969364B53376D66
3351414B764656706D52673D
OCTET_LENGTH                    40

PLG$USER_NAME                   VLAD
PLG$PASSWD                      5344516E344D62486F466265444C52523246507066304E556E48304D
736B4352764F644A32446F3D000000000000000000000000000000000000000000000000
OCTET_LENGTH                    64

You see the difference. It also explains, why SYSDBA account works.

   Look at fb3:

F:\FB2\fb30\temp\x64\debug\firebird>isql SECURITY3.FDB -user sysdba
Database: SECURITY3.FDB, User: SYSDBA
SQL> set list;
SQL> show table plg$users;
PLG$USER_NAME                   (SEC$USER_NAME) VARCHAR(31) CHARACTER SET UNICODE_FSS Not Null
PLG$GROUP_NAME                  (SEC$USER_NAME) VARCHAR(31) CHARACTER SET UNICODE_FSS Nullable
PLG$UID                         (PLG$ID) INTEGER Nullable
PLG$GID                         (PLG$ID) INTEGER Nullable
PLG$PASSWD                      (PLG$PASSWD) VARCHAR(64) CHARACTER SET OCTETS Not Null
PLG$COMMENT                     (RDB$DESCRIPTION) BLOB segment 80, subtype TEXT CHARACTER SET UNICODE_FSS Nullable
PLG$FIRST_NAME                  (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UNICODE_FSS Nullable
PLG$MIDDLE_NAME                 (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UNICODE_FSS Nullable
PLG$LAST_NAME                   (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UNICODE_FSS Nullable
CONSTRAINT INTEG_2:
   Primary key (PLG$USER_NAME)

PLG$PASSWD is VARCHAR(64) CHARACTER SET OCTETS here, and

SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from plg$users;

PLG$USER_NAME                   SYSDBA
PLG$PASSWD                      4E4C74776373394C72784C4D4F5968473075474D3969364B53376D663351414B764656706D52673D
OCTET_LENGTH                    40

PLG$USER_NAME                   VLAD
PLG$PASSWD                      6C4C493241657136692F6A53524547572B6D5A36444D7A5231384663546758547467684D534D343D
OCTET_LENGTH                    40

there is no trailing zero's.


   I'll commit a fix to ignore that trailing zero's when hashes is compared.


> Also curious: initializing the security database for Srp adds two Srp
> SYSDBA accounts (but it might always have done that).

   I think you mixed two SYSDBA accounts created by different plugins.
See below (security4.fdb just copied from gen\dbs\security.fdb) :

a) default firebird.conf

fb40\temp\x64\Release\firebird>isql SECURITY4.FDB -user sysdba
Database: SECURITY4.FDB, User: SYSDBA
SQL> set list;
SQL> select * from sec$users;
Statement failed, SQLSTATE = 28000
find/display record error
-Install incomplete, please read the Compatibility chapter in the release notes for this version
SQL>
SQL> create user SYSDBA password 'masterkey';
SQL> commit;
SQL>
SQL> create user SYSDBA password 'masterkey' using plugin legacy_usermanager;
Statement failed, SQLSTATE = HY000
Missing requested management plugin
SQL> select * from sec$users;

SEC$USER_NAME                   SYSDBA
SEC$FIRST_NAME                  <null>
SEC$MIDDLE_NAME                 <null>
SEC$LAST_NAME                   <null>
SEC$ACTIVE                      <true>
SEC$ADMIN                       <true>
SEC$DESCRIPTION                 <null>
SEC$PLUGIN                      Srp

All as expected.


b) change in firebird.conf
UserManager = Srp, Legacy_UserManager

fb40\temp\x64\Release\firebird>isql SECURITY4.FDB -user sysdba
Database: SECURITY4.FDB, User: SYSDBA
SQL> set list;
SQL> select * from sec$users;

SEC$USER_NAME                   SYSDBA
SEC$FIRST_NAME                  <null>
SEC$MIDDLE_NAME                 <null>
SEC$LAST_NAME                   <null>
SEC$ACTIVE                      <true>
SEC$ADMIN                       <true>
SEC$DESCRIPTION                 <null>
SEC$PLUGIN                      Srp

SEC$USER_NAME                   SYSDBA
SEC$FIRST_NAME                  Sql
SEC$MIDDLE_NAME                 Server
SEC$LAST_NAME                   Administrator
SEC$ACTIVE                      <null>
SEC$ADMIN                       <true>
SEC$DESCRIPTION                 <null>
SEC$PLUGIN                      Legacy_UserManager

SQL> create user SYSDBA password 'masterkey';
Statement failed, SQLSTATE = 23000
add record error
-violation of PRIMARY or UNIQUE KEY constraint "INTEG_5" on table "PLG$SRP"
-Problematic key value is ("PLG$USER_NAME" = 'SYSDBA')
SQL> create user SYSDBA password 'masterkey' using plugin legacy_usermanager;
Statement failed, SQLSTATE = 23000
add record error
-violation of PRIMARY or UNIQUE KEY constraint "INTEG_2" on table "PLG$USERS"
-Problematic key value is ("PLG$USER_NAME" = 'SYSDBA')


Again all as expected.

Regards,
Vlad

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Reply | Threaded
Open this post in threaded view
|

Re: Legacy usermanager broken in Firebird 4?

Dimitry Sibiryakov-3
04.03.2017 22:52, Vlad Khorsun wrote:
> The reason is that hash of encrypted
> passwords is stored with trailing zero's now (guess it was due to recently
> introduced support of BINARY chars).

   No. It is because of use fb_utils::copy_terminate() instead of strStore() for storing
password in LegacyManagement.epp.
   https://github.com/FirebirdSQL/firebird/commit/1adadd969f93f12a1b0a0303d00ce0079478568f


--
   WBR, SD.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Reply | Threaded
Open this post in threaded view
|

Re: Legacy usermanager broken in Firebird 4?

Mark Rotteveel-2
In reply to this post by Vlad Khorsun-2
On 4-3-2017 22:52, Vlad Khorsun wrote:

> 04.03.2017 18:36, Mark Rotteveel wrote:
>> I have some problems with using legacy authentication with Firebird 4:
>>
>> * Using the default existing legacy sysdba/masterke works
>> * Creating a new user with the Legacy_UserManager (create user ...
>> password '...' using plugin Legacy_UserManager) or with gsec
>> (Legacy_UserManager is the first in the list), and trying to login leads
>> to an authentication failure
>> * Using gsec to alter the password of the legacy sysdba and then trying
>> to login leads to an authentication failure (even if I changed to
>> masterke or masterkey)
>  >
>> The above seems to suggest that the Legacy_UserManager is broken when
>> hashing passwords. Is that a known issue?
>
>    Issue seems new for (at least to me). The reason is that hash of encrypted
> passwords is stored with trailing zero's now (guess it was due to recently
> introduced support of BINARY chars). See below:
>
>
> fb40\temp\x64\debug\firebird>isql SECURITY4.FDB -user sysdba
> Database: SECURITY4.FDB, User: SYSDBA
> SQL> set list;
> SQL> show table plg$users;
> PLG$USER_NAME                   (SEC$USER_NAME) VARCHAR(63) Not Null
> PLG$GROUP_NAME                  (SEC$USER_NAME) VARCHAR(63) Nullable
> PLG$UID                         (PLG$ID) INTEGER Nullable
> PLG$GID                         (PLG$ID) INTEGER Nullable
> PLG$PASSWD                      (PLG$PASSWD) VARBINARY(64) Not Null
> PLG$COMMENT                     (RDB$DESCRIPTION) BLOB segment 80, subtype TEXT CHARACTER SET UTF8 Nullable
> PLG$FIRST_NAME                  (SEC$NAME_PART) VARCHAR(32) Nullable
> PLG$MIDDLE_NAME                 (SEC$NAME_PART) VARCHAR(32) Nullable
> PLG$LAST_NAME                   (SEC$NAME_PART) VARCHAR(32) Nullable
> CONSTRAINT INTEG_2:
>    Primary key (PLG$USER_NAME)
> SQL>
>
> Note, PLG$PASSWD have type VARBINARY.
>
> SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from plg$users;
>
> PLG$USER_NAME                   SYSDBA
> PLG$PASSWD                      4E4C74776373394C72784C4D4F5968473075474D3969364B53376D66
> 3351414B764656706D52673D
> OCTET_LENGTH                    40
>
> PLG$USER_NAME                   VLAD
> PLG$PASSWD                      5344516E344D62486F466265444C52523246507066304E556E48304D
> 736B4352764F644A32446F3D000000000000000000000000000000000000000000000000
> OCTET_LENGTH                    64
>
> You see the difference. It also explains, why SYSDBA account works.
>
>    Look at fb3:
>
> F:\FB2\fb30\temp\x64\debug\firebird>isql SECURITY3.FDB -user sysdba
> Database: SECURITY3.FDB, User: SYSDBA
> SQL> set list;
> SQL> show table plg$users;
> PLG$USER_NAME                   (SEC$USER_NAME) VARCHAR(31) CHARACTER SET UNICODE_FSS Not Null
> PLG$GROUP_NAME                  (SEC$USER_NAME) VARCHAR(31) CHARACTER SET UNICODE_FSS Nullable
> PLG$UID                         (PLG$ID) INTEGER Nullable
> PLG$GID                         (PLG$ID) INTEGER Nullable
> PLG$PASSWD                      (PLG$PASSWD) VARCHAR(64) CHARACTER SET OCTETS Not Null
> PLG$COMMENT                     (RDB$DESCRIPTION) BLOB segment 80, subtype TEXT CHARACTER SET UNICODE_FSS Nullable
> PLG$FIRST_NAME                  (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UNICODE_FSS Nullable
> PLG$MIDDLE_NAME                 (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UNICODE_FSS Nullable
> PLG$LAST_NAME                   (SEC$NAME_PART) VARCHAR(32) CHARACTER SET UNICODE_FSS Nullable
> CONSTRAINT INTEG_2:
>    Primary key (PLG$USER_NAME)
>
> PLG$PASSWD is VARCHAR(64) CHARACTER SET OCTETS here, and
>
> SQL> select plg$user_name, plg$passwd, octet_length(plg$passwd) from plg$users;
>
> PLG$USER_NAME                   SYSDBA
> PLG$PASSWD                      4E4C74776373394C72784C4D4F5968473075474D3969364B53376D663351414B764656706D52673D
> OCTET_LENGTH                    40
>
> PLG$USER_NAME                   VLAD
> PLG$PASSWD                      6C4C493241657136692F6A53524547572B6D5A36444D7A5231384663546758547467684D534D343D
> OCTET_LENGTH                    40
>
> there is no trailing zero's.
>
>
>    I'll commit a fix to ignore that trailing zero's when hashes is compared.

Thanks, do you want me to create a ticket?

>> Also curious: initializing the security database for Srp adds two Srp
>> SYSDBA accounts (but it might always have done that).
>
>    I think you mixed two SYSDBA accounts created by different plugins.
> See below (security4.fdb just copied from gen\dbs\security.fdb) :

I have done some more digging. I can reproduce it with gsec if I use:

add sysdba -pw masterkey -admin yes

not if I use

add sysdba -pw masterkey

Similar if I use in ISQL:

create user sysdba password 'masterkey' grant admin role;

not if I use

create user sysdba password 'masterkey';

Mark
--
Mark Rotteveel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Reply | Threaded
Open this post in threaded view
|

Re: Legacy usermanager broken in Firebird 4?

Dimitry Sibiryakov-3
In reply to this post by Dimitry Sibiryakov-3
04.03.2017 23:37, Dimitry Sibiryakov wrote:
> It is because of use fb_utils::copy_terminate() instead of strStore() for storing password
> in LegacyManagement.epp.

   I'm sorry, I was wrong. Perhaps, indeed, introducing of VARBINARY caused GPRE to
generate wrong BLR and structures.


--
   WBR, SD.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Reply | Threaded
Open this post in threaded view
|

Re: Legacy usermanager broken in Firebird 4?

Vlad Khorsun-2
In reply to this post by Mark Rotteveel-2
05.03.2017 10:56, Mark Rotteveel wrote:

> On 4-3-2017 22:52, Vlad Khorsun wrote:
>> 04.03.2017 18:36, Mark Rotteveel wrote:
>>> I have some problems with using legacy authentication with Firebird 4:
>>>
>>> * Using the default existing legacy sysdba/masterke works
>>> * Creating a new user with the Legacy_UserManager (create user ...
>>> password '...' using plugin Legacy_UserManager) or with gsec
>>> (Legacy_UserManager is the first in the list), and trying to login leads
>>> to an authentication failure
>>> * Using gsec to alter the password of the legacy sysdba and then trying
>>> to login leads to an authentication failure (even if I changed to
>>> masterke or masterkey)
>>  >
>>> The above seems to suggest that the Legacy_UserManager is broken when
>>> hashing passwords. Is that a known issue?
>>
>>    Issue seems new for (at least to me). The reason is that hash of encrypted
>> passwords is stored with trailing zero's now (guess it was due to recently
>> introduced support of BINARY chars). See below:

...

>>    I'll commit a fix to ignore that trailing zero's when hashes is compared.
>
> Thanks, do you want me to create a ticket?

   As you wish, fix was committed yesterday.

>>> Also curious: initializing the security database for Srp adds two Srp
>>> SYSDBA accounts (but it might always have done that).
>>
>>    I think you mixed two SYSDBA accounts created by different plugins.
>> See below (security4.fdb just copied from gen\dbs\security.fdb) :
>
> I have done some more digging. I can reproduce it with gsec if I use:
>
> add sysdba -pw masterkey -admin yes
>
> not if I use
>
> add sysdba -pw masterkey
>
> Similar if I use in ISQL:
>
> create user sysdba password 'masterkey' grant admin role;
>
> not if I use
>
> create user sysdba password 'masterkey';

   Thanks, I'll look at it a bit later

Regards,
Vlad


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Reply | Threaded
Open this post in threaded view
|

Re: Legacy usermanager broken in Firebird 4?

Mark Rotteveel-2
On 5-3-2017 14:07, Vlad Khorsun wrote:
> 05.03.2017 10:56, Mark Rotteveel wrote:
>> On 4-3-2017 22:52, Vlad Khorsun wrote:
>>>    I'll commit a fix to ignore that trailing zero's when hashes is compared.
>>
>> Thanks, do you want me to create a ticket?
>
>    As you wish, fix was committed yesterday.

http://tracker.firebirdsql.org/browse/CORE-5495

>>>> Also curious: initializing the security database for Srp adds two Srp
>>>> SYSDBA accounts (but it might always have done that).
>>>
>>>    I think you mixed two SYSDBA accounts created by different plugins.
>>> See below (security4.fdb just copied from gen\dbs\security.fdb) :
>>
>> I have done some more digging. I can reproduce it with gsec if I use:
>>
>> add sysdba -pw masterkey -admin yes
>>
>> not if I use
>>
>> add sysdba -pw masterkey
>>
>> Similar if I use in ISQL:
>>
>> create user sysdba password 'masterkey' grant admin role;
>>
>> not if I use
>>
>> create user sysdba password 'masterkey';
>
>    Thanks, I'll look at it a bit later

http://tracker.firebirdsql.org/browse/CORE-5496

--
Mark Rotteveel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Reply | Threaded
Open this post in threaded view
|

Re: Legacy usermanager broken in Firebird 4?

Vlad Khorsun-2
05.03.2017 15:37, Mark Rotteveel wrote:

>>>>> Also curious: initializing the security database for Srp adds two Srp
>>>>> SYSDBA accounts (but it might always have done that).
>>>>
>>>>    I think you mixed two SYSDBA accounts created by different plugins.
>>>> See below (security4.fdb just copied from gen\dbs\security.fdb) :
>>>
>>> I have done some more digging. I can reproduce it with gsec if I use:
>>>
>>> add sysdba -pw masterkey -admin yes
>>>
>>> not if I use
>>>
>>> add sysdba -pw masterkey
>>>
>>> Similar if I use in ISQL:
>>>
>>> create user sysdba password 'masterkey' grant admin role;
>>>
>>> not if I use
>>>
>>> create user sysdba password 'masterkey';
>>
>>    Thanks, I'll look at it a bit later
>
> http://tracker.firebirdsql.org/browse/CORE-5496

   Fortunately, there is no two SYSDBA accounts. The issue is that SYSDBA have
granted ADMIN privilege two times and query (behind the SEC$USERS) returns it
two times.

   The first grant is granted by NULL grantor and exists before security database
initialized by SRP. The second one is granted by SYSDBA when CREATE USER SYSDBA
GRANT ADMIN ROLE statement is executed.

Regards,
Vlad


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel