SSPI authentication ASC_REQ_REPLAY_DETECT flag
Hi all,
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have
configured it to use SSPI authentication. The client is on a Windows 7
machine and make the connections via ODBC using a DSN with psqlodbc driver
version 9.03.04.00. Authentication works in this scenario for the user
authenticated in the client machine. I am always using the same user for
connections.
I used Wireshark in the configuration phase to analyze the traffic
between the server and the client. It looks to me that in the
authentication phase, the client always sends the same service ticket to
postgresql server when a new connection is created, even when I create a
new DSN pointing to the same server, it keeps sending the same service
ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks
like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This
not means a replay attack risk? I think that if SSL is not used by the
connection, a malicious user could capture the authentication package which
the client service ticket and then reuse it.
Thanks in advance
--
Hi all,
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have
configured it to use SSPI authentication. The client is on a Windows 7
machine and make the connections via ODBC using a DSN with psqlodbc driver
version 9.03.04.00. Authentication works in this scenario for the user
authenticated in the client machine. I am always using the same user for
connections.
I used Wireshark in the configuration phase to analyze the traffic
between the server and the client. It looks to me that in the
authentication phase, the client always sends the same service ticket to
postgresql server when a new connection is created, even when I create a
new DSN pointing to the same server, it keeps sending the same service
ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks
like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This
not means a replay attack risk? I think that if SSL is not used by the
connection, a malicious user could capture the authentication package which
the client service ticket and then reuse it.
Thanks in advance
--
--
*Jacobo Vázquez Lorenzo*
Product Development
Denodo Technologies
(+34) 981 10 02 00 Phone
jvazquez@denodo.com
www.denodo.com Legal Notice
The message is intended for the addresses only and its contents and any
attached files are strictly confidential.
If you have received it in error, please remove this mail and contact
postmaster@denodo.com.
Thank you.
Jacobo,
* Jacobo Vazquez (jvazquez@denodo.com) wrote:
Am I misunderstanding something or is this the expected behavior? This
not means a replay attack risk? I think that if SSL is not used by the
connection, a malicious user could capture the authentication package which
the client service ticket and then reuse it.
It's not entirely clear to me what you're getting at here, but Kerberos
service tickets are *intended* to be re-used up until they are invalid
due to their lifetime limit. That's why they have a lifetime. If you
don't want them to be reused, make their lifetime very short, but you'll
end up creating a huge additional load on your KDC that way for very
little gain..
Note that this is entirely independent of a replay attack risk, which is
addressed by the resource server checking if the timestamp in the
authenticator being provided is the same as the last one (it should be
denied if it is). Further, the timestamp in the authenticator has to be
within 5 minutes or it'll also be denied.
Thanks,
Stephen