Reputation: 537
Firebird does not forget default password after changing it for sysdba user
I am unable to make Firebird forget the old password for default user. I have installed Firebird version 3.0.4 on my local computer. I have tried to change the default password masterkey to another one via gsec tool. First I have logged in into this tool with command:
gsec -user sysdba -password masterkey -database "C:\Program Files\Firebird\Firebird_3_0\security3.fdb"
And then with command modify I have set next password:
modify sysdba -pw qwerty12
The issue is that now I can login into sysdba account with both passwords, the old masterkey password and the new one qwerty12 password. How can I make the Firebird to forget the old default password?
Upvotes: 3
Views: 2427
Answers (1)
Reputation: 109015
The problem is not that Firebird remembers the default password, the problem is that Firebird stores a password per authentication plugin, and SYSDBA happens to exist for two (or possibly more) authentication plugins.
To fix this, you must either drop the SYSDBA account for one of the authentication plugins, or change its password. Dropping the SYSDBA account is, unfortunately, rather hard to do for the Legacy_Auth plugin (you need to manually delete it from the security database, see at the end of this answer).
Assuming the standard Firebird install (which has authentication plugins Srp and Legacy_Auth), you need to do the following to change the password (note: I'm assuming that the problematic account is the one for Legacy_Auth, not Srp):
In
firebird.conf, settingUserManagerensure both user managers are listed:UserManager = Srp, Legacy_UserManagerRestart Firebird
Change the password for both plugins
alter user SYSDBA password '<new password>' using plugin Srp; alter user SYSDBA password '<new password>' using plugin Legacy_UserManager;Keep in mind: the legacy authentication plugin truncates passwords at 8 characters.
If you want to prevent authentication using the Legacy_Auth plugin entirely, then edit the firebird.conf and remove Legacy_Auth from the AuthServer setting (also check databases.conf if the database has a custom configuration).
I have asked a question on the firebird-devel mailing list about the inability to drop the Legacy_Auth SYSDBA account. The answer I got was that historically it was impossible to delete the SYSDBA account in older Firebird versions, so the Legacy_UserManager plugin explicitly disallows deleting SYSDBA (while Srp allows it). The workaround is to connect directly to the security database, and delete the user manually from the PLG$USERS table (which contains the Legacy_Auth users, Srp users are in PLG$SRP):
delete from plg$users where plg$user_name = 'SYSDBA';
You can connect to the security database using isql -user sysdba -password <yourpassword> security.db (assuming the security.db alias is defined in databases.conf, otherwise use the full path to your security3.fdb).
A slightly more obscure alternative would be to define a mapping that maps an authentication as SYSDBA using Legacy_Auth to a different (unprivileged) user (eg GUEST):
create global mapping NO_LEGACY_SYSDBA
using plugin Legacy_Auth
from user sysdba to user guest;
To drop the SYSDBA account for the Srp plugin, you only need to execute (as admin):
drop user SYSDBA using plugin Srp;
Upvotes: 3
Related Questions
- Firebird database SYSDBA connection error
- retrieve firebird users passwords
- SYSDBA user is blocked from access to Firebird 2.x database
- Firebird error "username and password are not defined" with Delphi application
- FirebirdSql.Data.FirebirdClient connecting with a user other than Sysdba - username and password are not defined
- Cannot change sysdba password with Gsec
- Windows Authentication in Firebird 2.5
- Firebird 3 sysdba password stunning issue
- Firebird - Incorrect SYSDBA password
- Firebird Database Password