Hi all,
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have configured it to use SSPI authentication. The client is on a Windows 7 machine and make the connections via ODBC using a DSN with psqlodbc driver version 9.03.04.00. Authentication works in this scenario for the user authenticated in the client machine. I am always using the same user for connections.
I used Wireshark in the configuration phase to analyze the traffic between the server and the client. It looks to me that in the authentication phase, the client always sends the same service ticket to postgresql server when a new connection is created, even when I create a new DSN pointing to the same server, it keeps sending the same service ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This not means a replay attack risk? I think that if SSL is not used by the connection, a malicious user could capture the authentication package which the client service ticket and then reuse it.
Thanks in advance
--
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have configured it to use SSPI authentication. The client is on a Windows 7 machine and make the connections via ODBC using a DSN with psqlodbc driver version 9.03.04.00. Authentication works in this scenario for the user authenticated in the client machine. I am always using the same user for connections.
I used Wireshark in the configuration phase to analyze the traffic between the server and the client. It looks to me that in the authentication phase, the client always sends the same service ticket to postgresql server when a new connection is created, even when I create a new DSN pointing to the same server, it keeps sending the same service ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This not means a replay attack risk? I think that if SSL is not used by the connection, a malicious user could capture the authentication package which the client service ticket and then reuse it.
Thanks in advance
--
