Description
Submitted by: @mrotteveel
When you enable legacy authentication in the Windows installer, it will configure firebird.conf with
AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi
This is insecure for two reasons:
1. It is missing the new Srp256 plugin which is the default
2. The order for authentication plugins should be from most secure to least secure to avoid leaking information about credentials of Srp users (eg if Srp256 or Srp succeeds, there is no need to send the password using the less secure UnixCrypt hash in Legacy_Auth).
In other words, enabling legacy authentication should produce
AuthServer = Srp256, Win_Sspi, Legacy_Auth
(or maybe AuthServer = Srp256, Srp, Win_Sspi, Legacy_Auth)
The default for AuthClient (AuthClient = Srp256, Srp, Win_Sspi, Legacy_Auth) is already sufficient and secure enough, so there is no need to write an explicit config.
Personally, I'd also prefer if UserManager order would be set to Srp, Legacy_UserManager, but to support legacy tools that is not really an option.
Commits: 2af22cb