Firebird Documentation IndexFirebird 3.0.2 Release NotesSecurity → New Authentication Method in Firebird 3
Firebird Home Firebird Home Prev: Database EncryptionFirebird Documentation IndexUp: SecurityNext: "Over the wire" Connection Encryption

New Authentication Method in Firebird 3

SSL/TLS Support
Increased Password Length
The Authentication Plug-in
Multiple User Managers
Alex Peshkov

All of the code related to authentication is plug-in-enabled. Though Firebird performs the generic work, like extracting authentication data from a network message or putting it into such messages as appropriate, all the activity related to calculating hashes, storing data in databases or elsewhere, using specific prime numbers and so on is done by plug-ins.

Firebird 3 has new method of user authentication implemented as a default plugin: secure remote password (SRP) protocol. Quoting from Wikipedia:

The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie-Hellman key exchange, then verifies to both parties that the two keys are identical and that both sides have the user's password. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than the alternative SSH protocol and faster than using Diffie-Hellman key exchange with signed messages. It is also independent of third parties, unlike Kerberos.

SSH needs key pre-exchange between server and client when placing a public key on the server to make it work. SRP does not need that. All a client needs are login and password. All exchange happens when the connection is established.

Moreover, SRP is resistant to “man-in-the-middle” attacks.

Important

Use of the new authentication method is not compatible with old security databases and passwords from them. However, an upgrade procedure is available to migrate users from a Firebird 2.x security2.fdb database. For instructions, see Upgrading a v.2.x Security Database in the Compatibility chapter.

Use of an old security database can be supported with the Legacy_Auth authentication plug-in, but this kills the security benefits of Firebird 3.

The Firebird 3 client is built to make it possible to talk to old servers with the default configuration.

SSL/TLS Support

CORE-3251

So, the answer to the question “Does Firebird use SSL/TLS for password validation?” is “yes and no”. The “No” answer comes because, by default, SSL is not used. That is due to a minor licensing incompatibility between Firebird and OpenSSL, the most popular SSL implementation.

The “Yes” applies because anyone is free to write an authentication plug-in that uses SSL and TLS.

Increased Password Length

CORE-1898.

Implementation of SRP in our plugin has increased the password length from 8 bytes to 20 or more. Because of the use of SHA1 for hashes, maximum security is provided for passwords up to 20 characters in length. Longer passwords can be used without restriction but there is a remote possibility of hash collisions between passwords that differ beyond the 20th byte. Just be aware of the possibility that any password longer than 20 characters password could share the same hash with some shorter password so, theoretically, they could be attacked using brute force.

A custom SRP plug-in could be built quite easily, using a hash algorithm that would guarantee unique hashes for longer passwords.

Tip

The increased length limit means the default SYSDBA password in Windows and MacOS installations is the full 'masterkey' string (9 chars), no longer 'masterke' (8 chars) as in older versions!

Support for the LegacyHash and Authentication parameters in firebird.conf has been dropped. Authentication is overtaken by an AuthServer parameter in firebird.conf or elsewhere.

The Authentication Plug-in

The Authentication plug-in comprises three parts:

  • Client—prepares data at the client to be sent to server on client

  • Server—validates password for correctness

  • User Manager—adds, modifies and deletes users on the server. It is not needed if some external authentication method, such as Windows trusted authentication, is used.

All three parts are actually separate plug-ins which should be configured separately in firebird.conf. Let's look at an example of configuring a server to accept connections from old clients. The default setting are:

  AuthServer = Srp, Win_Sspi
  UserManager = Srp
      

To enable access from old clients, AuthServer needs to be changed:

  AuthServer = Srp, Win_Sspi, Legacy_Auth
      

If we also want to manage the list of users in the old format we must add:

  UserManager = Legacy_UserManager
      

Multiple User Managers

Multiple user managers can be enumerated in firebird.conf. The first member of the list of user managers is the default. Selecting from sec$users would produce something like the following:

SQL> select SEC$USER_NAME, SEC$PLUGIN from sec$users;

SEC$USER_NAME                   SEC$PLUGIN
=============================== ===============================
SYSDBA                          Legacy_UserManager
SYSDBA                          Srp
QA_USER1                        Srp
QA_USER2                        Srp
QA_USER3                        Srp
QA_USER4                        Srp
QA_USER5                        Srp
GUEST                           Srp
SHUT1                           Srp
SHUT2                           Srp
QATEST                          Srp
      

There might well be two users named SYSDBA in such a list, because each user manager has its own SYSDBA.

Notes

  • All user management commands can have the USING PLUGIN clause, whose purpose is to enable selection of a particular UserManager plug-in from the list in firebird.conf.

  • The default user manager in firebird.conf is Srp. If you need to manage legacy logins, set it to Legacy_UserManager, e.g., UserManager = Legacy_UserManager,Srp.

  • UserManager can be configured at database level, in databases.conf.

Prev: Database EncryptionFirebird Documentation IndexUp: SecurityNext: "Over the wire" Connection Encryption
Firebird Documentation IndexFirebird 3.0.2 Release NotesSecurity → New Authentication Method in Firebird 3