Re: Updating fb password storage - Re: [Firebird-devel] crypt plugins

[Mark O'D. <mar...@fi...>]

Dmitry Yemanov wrote:
> "Mark O'Donohue" <mar...@fi...> wrote:
> 
>>It needs a bit of roadtesting, and a few more eyes, and Im sure a bit
>>more polishing, but Alex's design means that:
>>
>>    1) old client can connect to new servers,
>>    2) new clients still talk to old servers.
>>    3) and even if really needed old security.fdb files could work
>>       with new servers.
> 
> 
> If these points are true, then I support your proposal.

I think they should be true, and Alex seems to agree, (he's in a good 
position to be able to confirm it :-).

I also think requiring an update script to be run over security.fdb is 
acceptable (and probably preferable) for 3).


> Do I understand
> correctly that you suggest to have hardcoded two algorithms (MD5/SHA1 + DES)
> instead of firebird.conf-specified plugins list proprosed by Alex? Do you
> want to add the crypt plugins feature later and remove the hardcoded stuff
> or you think it's too complex solution for most hosts?
> 

Yes, I think hardcoding SHA1/MD5 as an internal replacement for the 
current DES MAC is a good first step.  It's a change with fairly low 
risk, and with good benefits for incuding in fb2.  It then becomes the 
new fb default.


Im glad Alex has done plugins, but Im not sure a plugin choice of DES or 
MD5 is enough, if done properly a plugin architecture should be able to 
support NTLM and PAM, pretty much straight out of the box.

Plugins are good idea, but a larger architectual change, and may take 
longer to filter through all involved to settle into a design that is 
genrally acceptable.

I'd like to see the plugin code, and would love to see it, or modified 
form also be included in fb2.

Cheers

Mark