3

I just upgraded my DB to Firebird 4.0 and all seems to work when connecting to the DB using a database management tool.

So now I try to connect, after making sure I've upgarded my ADO.Net to FirebirdSql.Data.FirebirdClient v8.0.1 (latest).

Here is how I create my connection string (yes, db path exists and I made sure that users have modification rights):

 FbConnectionStringBuilder cs = new FbConnectionStringBuilder();
 cs.Database = @"C:/myPath/MyDB.FDB";
 cs.DataSource = "localhost";
 cs.UserID = "sysdba";
 cs.Password = "masterkey";
 cs.Dialect = 3;
 cs.Pooling = false;
 cs.ServerType = FbServerType.Default;
 // --- Omitted at first - any of the 3 types leads to errors!
 //cs.WireCrypt = FbWireCrypt.Disabled;
 var DBConn = new FbConnection(cs.ConnectionString);
 DBConn.Open();

Now, notice I left out WireCrypt option (on purpose to start with). My error is:

Error occurred during login, please check server firebird.log for details

firebird.log says:

Authentication error No matching plugins on server

So I googled around and found hints it may come from wire encryption. Well ok, so I did try all 3 versions of wire encryption - if I use Required or Enabled, I get the above error. If I use the Disabled , I get

Incompatible wire encryption levels requested on client and server

Furthermore, I tried setting WireCrypt = Disabled in firebird.conf and in my code, restarted the service and tested again - now I have the same result as with the first two cases:

Authentication error No matching plugins on server

So I guess I'm missing something here about the encryption plugins - but I couldn't find any valuable information there, thanks for helping out!

UPDATE: here are the settings I tried and the error I got:

Attempt 1: all firebird.conf defaults (I posted it here to keep things short here):

Connection string 1:

character set=NONE;data source=localhost;initial catalog=C:\Users\DBAccess\MYDB.FDB;user id=SYSDBA;password=masterkey;wire crypt=Disabled

Incompatible wire encryption levels requested on client and server

Connection string 2 (wire crypt=Enabled or Required)

Authentication error No matching plugins on server

Attempt 2:

WireCrypt = Disabled

Connection string 1:

character set=NONE;data source=localhost;initial catalog=C:\Users\DBAccess\MYDB.FDB;user id=SYSDBA;password=masterkey;wire crypt=Disabled

Authentication error No matching plugins on server

Connection string 2 (wire crypt=Enabled) => same error!

Attempt 3:

AuthClient = Srp256, Srp
UserManager = Srp

Connection string 1:

character set=NONE;data source=localhost;initial catalog=C:\Users\DBAccess\MYDB.FDB;user id=SYSDBA;password=masterkey;wire crypt=Disabled

Incompatible wire encryption levels requested on client and server

Connection string 2 (wire crypt=Enabled or Required)

Authentication error No matching plugins on server

Attempt 4:

AuthClient = Srp256, Srp
UserManager = Srp
WireCryptPlugin = ChaCha, Arc4
WireCrypt = Enabled
ServerMode = Super

Connection string (same result with any wire crypt option in the connection string):

character set=NONE;data source=localhost;initial catalog=C:\Users\DBAccess\MYDB.FDB;user id=SYSDBA;password=masterkey;wire crypt=Enabled

Authentication error No matching plugins on server

NOTE: I also see the following message in firebird.log, which is possibly due to the service restart...

inet_error: read errno = 10054, client host = DESKTOP-1234, address = 127.0.0.1/60348, user = myusername

neggenbe
  • 1,697
  • 2
  • 24
  • 62

3 Answers3

4

The Firebird ADO.net provider version 8 only supports the Srp authentication plugin when connecting to Firebird 3.0 or higher, but Firebird 4.0 by default only uses the more secure Srp256 plugin. You will need to change the AuthServer setting in firebird.conf to Srp256,Srp for the Firebird ADO.net provider to be able to connect.

See also this issue: Support for Srp256 [DNET942] #864

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
  • thanks for the clarification but nothing helps - still the same `No matching plugins on server` error although I tried to play aroung with `firbird.conf` settings. Is there an example setup file known to work? Maybe I did miss installing some plugins (in which case, how do I know which one?) – neggenbe Jun 09 '21 at 18:39
  • @neggenbe I'll need to try things out, but I won't have time until later this week, maybe you also need to restrict the wire crypt plugin setting to Arc4 only – Mark Rotteveel Jun 10 '21 at 08:40
  • Ok just for the record: I remvoved the Firebird 4.0 and replaced it with Firebird 3.0, then restored my database (gback from 2.5) and used the exact same code (even with using `FbWireCrypt.Enabled` and it works seamlessly. So there is something about FB 4.0 that I am missing (I guess this has to do with either the security database or `firebird.conf` in that case)! – neggenbe Jun 10 '21 at 19:32
  • @neggenbe I tested it, and with a default firebird.conf, the only thing I had to modify was using `AuthServer = Srp256,Srp` instead of the default. Make sure your user actually exists for `Srp` user manager (e.g. by connecting to database employee and executing `create user sysdba password 'masterkey' using plugin srp`. – Mark Rotteveel Jun 11 '21 at 15:59
  • Thanks Mark - I'll try your config and let you know. But I am not really sure what you mean by "database employee". That sounds `Srp` specific, which I read would be deprecated anyway... Any comment on that? – neggenbe Jun 13 '21 at 07:27
  • @neggenbe `employee` is the example database included with Firebird, and listed in `databases.conf` with the alias `employee`. It is easy to use if you need to connect to any database (e.g. to create a user). As to Srp, there are two parts, the Srp user manager and the Srp family of authentication plugins (which includes Srp, Srp224, Srp256, Srp384 and Srp512), all those authentication plugin use the same user manager, what differs is the hash algorithm they use for their 'user-proof'. Given the Srp auth plugin uses SHA-1, it was decided that using Srp256 (SHA-256) was the better default. – Mark Rotteveel Jun 13 '21 at 07:31
  • Ok so basically, if I get you right, the "breaking change" is I need to create users in the TARGET database now, not only in the `security4.fdb` database, correct? But I read that in the embedded mode, there is no user required... And does Srp require any additional installation (and no, Office is still not the point here :p ) – neggenbe Jun 13 '21 at 18:36
  • PS: I tried to add user with ISQL tool and it says user already exists in security database (I think SYSDBA is added by installer). And this whether I connect to the security DB or the target DB. Enabling with your settings gives the same `no plugin` error. Maybe I need to register the path to DLLs in `Firebird_4_0\plugins`? Or anything else I might be missing? – neggenbe Jun 13 '21 at 20:06
  • Please edit your question and provide all custom settings in the firebird.conf (by default all settings in firebird.conf are commented out, which means they apply the default setting). And no, by default Firebird 3.0 and 4.0 still create users in the security4.fdb, but you need to connect to **any** database to create the user. If you already have the necessary user **for the Srp usermanager**, and `AuthServer` includes Srp then you should be good. And no, Srp does not require additional installation. – Mark Rotteveel Jun 14 '21 at 08:09
  • Ok I'll edit with the different settings I used. As for Srp : I installed it locally on my desktop computer (Win10 Pro, not Windows Server) - maybe this is the reason? – neggenbe Jun 14 '21 at 08:43
  • ok, so let me some time to update all settings I tried. Note I only installed Fb 4.0 (x64) with installer, all the rest is default! – neggenbe Jun 14 '21 at 08:49
  • The installer can modify certain settings depending on the options you chose during install. In other words, it may not be 100% default. – Mark Rotteveel Jun 14 '21 at 08:50
  • Ok, I think that thanks to this post (https://firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-compat-legacyauth.html) I found the problem: I was registering only `AuthClient=srp`, but I also needed to set `AuthServer=spr` – neggenbe Jun 14 '21 at 09:23
  • I have said from the beginning that you need to modify `AuthServer`. Modifying `AuthClient` has no effect for you, because that only influences fbclient.dll usages, and you're not using fbclient.dll. Also, it is best to leave `AuthClient` at its default settings. – Mark Rotteveel Jun 14 '21 at 09:26
  • my bad really, didn't get the difference. Thanks for your patience, I owe you a beer :) – neggenbe Jun 14 '21 at 09:27
  • 1
    Maybe at a future Firebird conference ;) – Mark Rotteveel Jun 14 '21 at 09:29
1

Ok, I eventually got it to work using following settings:

firbird.conf:

AuthServer =  Srp256,Srp
UserManager = Srp
WireCrypt = Enabled

And connection string code:

FbConnectionStringBuilder bld = new FbConnectionStringBuilder();
bld.Charset = "NONE";
bld.DataSource = "localhost";
bld.Database = @"C:\Users\DBAccess\MYDB.FDB";
bld.UserID = "SYSDBA";
bld.Password = "masterkey";
bld.WireCrypt = FbWireCrypt.Enabled;
string connStr = bld.ConnectionString;
Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
neggenbe
  • 1,697
  • 2
  • 24
  • 62
  • 1
    There is no need to change `AuthClient` for your case. Also be aware that by removing Srp256 from the `AuthServer` list, you're reducing security for clients that do support Srp256. It is better to set it to `AuthServer = Srp256,Srp`. – Mark Rotteveel Jun 14 '21 at 09:28
  • @MarkRotteveel a quick one: I'm trying the "embedded" version and run into `Your user name and password are not defined. Ask your database administrator to set up a Firebird login.` - should I open a new thread? – neggenbe Jun 16 '21 at 09:46
  • 1
    Yes, definitely, likely you're not actually using Embedded, but just an fbclient.dll without plugins/engine13.dll and other supporting files needed for Firebird Embedded. – Mark Rotteveel Jun 16 '21 at 13:34
  • Ok got it working. I think that I copied the old `firebird.conf` file - so all fine there! – neggenbe Jun 17 '21 at 06:54
0

Use AuthServer = Legacy_Auth on firebird.conf

Vinicius Geraldino
  • 1
  • Are you able to expand on why this solution works, or perhaps a link to some documentation to support further investigation into this solution? – Hamish May 26 '22 at 00:10
  • Kindly add more details to your answer, explanations on how your code works and how this address the OP's question would be a great help not just for the asker but also for the future researchers. – Kuro Neko May 31 '22 at 05:49
  • ofcourse. fire3, 4 use plugin for authentication, if u alter firebird.conf for use legacy system, firebird will conect with old auth(sysdba, masterkey). https://firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-compat-legacyauth.html – Vinicius Geraldino Aug 02 '22 at 20:15