This document discusses the history and development of security in Firebird databases. It describes how security was initially approached for early versions of InterBase, then improvements made over time in Firebird versions 1.0 through 3.0. Key points covered include adding user authentication, addressing buffer overflows, implementing Windows trusted authentication, and plans for Firebird 3 to allow custom authentication plugins and mapping of operating system users to database roles.

13. Traditional authentication (client)‏ fbclient library isc_dpb_user_name isc_dpb_password ......... Environment variables isc_dpb_user_name isc_dpb_password ......... Login/password may be picked up from environment by client library ISC_USER=..

14. Traditional authentication (server)‏ Network listener Database engine Validation in security database isc_dpb_user_name isc_dpb_password ......... isc_dpb_user_name isc_dpb_password Validation is performed by DB engine

15. Trusted authentication (client)‏ isc_dpb_trusted ......... ......... ......... Environment variables fbclient library Client library automatically adds trusted auth request to DPB

16. Trusted Authentication (client)‏ ......... ......... isc_dpb_user_name isc_dpb_password ......... Environment variables fbclient library Login is picked up from environmnet (backward compatibility)‏ ISC_USER=..

17. Trusted Authentication (client)‏ isc_dpb_trusted isc_dpb_trusted ......... ......... Environment variables fbclient library Adding isc_dpb_trusted by application to force trusted auth. ISC_USER=..

18. Trusted Authentication (server)‏ isc_dpb_trusted Network listener .......... isc_dpb_trusted ......... DB engine Host OS validation (callback)‏ Network listener does all work, on success puts internal tag into DPB.

19. Trusted Authentication (server)‏ isc_dpb_trusted Network listener .......... isc_dpb_trusted ......... isc_dpb_trusted Host OS validation (callback)‏ DB engine Safe - network listener removes extra isc_dpb_trusted tags from DPB

28. OSRI (Open System Relational Interface)‏ Engine13 Yvalve Network listener User program (isql, php, etc.)‏ Engine8_12 Network redirector Providers Clients In FB3 we plan to have OSRI alive again. How does it affect auth?

29. IB, FB1, FB2 – user authentication is in engine Yvalve Network listener Engine “ rear entrance” is used to avoid recursion politically correct - InterBase 4, 5, 6 TLS – Firebird 1, 2 Authentication Engine needs a way to call itself for authentication purporses without authentication – avoiding infinite recursion

30. Firebird3 - user authentication in network listener Yvalve Network listener Providers Engine8_12 Engine13 Network redirector Authentication Plugins trusted zone Authenticator and plugins can easily use all our API – in-process access to it. No need in any “rare entrance”.

47. Thanks for your attention! www.firebirdsql.org