Thread: [BUG] SSPI authentication fails on Windows when server parameter is localhost or domain name
[BUG] SSPI authentication fails on Windows when server parameter is localhost or domain name
From
Ahmed Shinwari
Date:
Hi All,
I faced a bug on Windows while connecting via SSPI authentication. I was able to find the bug and have attached the patch. Details listed below;
Postgres Installer: Version 9.0.4
OS: Windows Server 2008 R2/Windows 7
Bug Description:
=============
If database Server is running on Windows ('Server 2008 R2' or 'Windows 7') with authentication mode SSPI and one try to connect from the same machine via 'psql' with server parameter as 'localhost' or 'fully qualified domain name', the database throws error;
psql: FATAL: could not get token from SSPI security context
DETAIL: The function requested is not supported
(80090302)
But, if assigned IP address is supplied or 127.0.0.1 is supplied instead of 'localhost' or 'fully qualified domain name' then connection is made successfully.
There is another behavior related that if multiple consecutive connection attempts are made, with server parameter as 'localhost' or 'fully qualified domain name' then atleast one out of five failed attempts results in server process abnormal termination. For example, from command prompt issue 'psql.exe -h localhost' five times consecutively, you should get the following error as well;
psql: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
Steps To Reproduce The Error:
========================
On Windows Server 2008 R2 (or Windows 7 32-bit);
1) Create Windows user <username>
2) Log in as that user
3) Install PostgreSQL 9.0.4
4) Change pg_hba.conf to have the following top lines:
host all <username> 0.0.0.0/0 sspi
host all <username> ::/0 sspi
5) In Postgres, create user <username> and make them a superuser (just for convenience)
6) Using psql, try the following:
psql -h <hostname> postgres
Try variations such as: localhost, <domainname>, <fully-qualified domain name on network>
This should produce following error;
psql: FATAL: could not get token from SSPI security context
DETAIL: The function requested is not supported
(80090302)
Description of Fix:
==============
The 'src\backend\libpq\auth.c' has a function pg_SSPI_recvauth() that initializes the SSPI(NTLM) and then begin exchanging tokens with client (e.g., libpq). First the SSPI Credential handle is obtained, then client's side tokens are fed to AcceptSecurityContext() and data obtained from AcceptSecurityContext() is sent back to client, this keeps on going until the authentication is completed. Once the authentication is completed, the sspictx handle is disposed after taking token with its reference.
I observed (server logs attached) that in case of client connecting via IP address, the NTLM requires only three packets exchange (1st packet from client, second from server, and third again from client), but in case of connecting via 'localhost' or 'domain name', the NTLM based packets exchange goes beyond count of three packets. In this particular case, the sspictx does not get updated as the code expects only one complete loop iteration or the code expects that NTLM does not change the sspictx, which it does. Now, even when NTLM authentication completes successfully, the server fails to acquire the token as it asks NTLM for token by supplying an un-updated sspictx.
The patch fixes the issue by making sure that sspictx is updated with every call to AcceptSecurityContext().
Regards,
Ahmed
I faced a bug on Windows while connecting via SSPI authentication. I was able to find the bug and have attached the patch. Details listed below;
Postgres Installer: Version 9.0.4
OS: Windows Server 2008 R2/Windows 7
Bug Description:
=============
If database Server is running on Windows ('Server 2008 R2' or 'Windows 7') with authentication mode SSPI and one try to connect from the same machine via 'psql' with server parameter as 'localhost' or 'fully qualified domain name', the database throws error;
psql: FATAL: could not get token from SSPI security context
DETAIL: The function requested is not supported
(80090302)
But, if assigned IP address is supplied or 127.0.0.1 is supplied instead of 'localhost' or 'fully qualified domain name' then connection is made successfully.
There is another behavior related that if multiple consecutive connection attempts are made, with server parameter as 'localhost' or 'fully qualified domain name' then atleast one out of five failed attempts results in server process abnormal termination. For example, from command prompt issue 'psql.exe -h localhost' five times consecutively, you should get the following error as well;
psql: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
Steps To Reproduce The Error:
========================
On Windows Server 2008 R2 (or Windows 7 32-bit);
1) Create Windows user <username>
2) Log in as that user
3) Install PostgreSQL 9.0.4
4) Change pg_hba.conf to have the following top lines:
host all <username> 0.0.0.0/0 sspi
host all <username> ::/0 sspi
5) In Postgres, create user <username> and make them a superuser (just for convenience)
6) Using psql, try the following:
psql -h <hostname> postgres
Try variations such as: localhost, <domainname>, <fully-qualified domain name on network>
This should produce following error;
psql: FATAL: could not get token from SSPI security context
DETAIL: The function requested is not supported
(80090302)
Description of Fix:
==============
The 'src\backend\libpq\auth.c' has a function pg_SSPI_recvauth() that initializes the SSPI(NTLM) and then begin exchanging tokens with client (e.g., libpq). First the SSPI Credential handle is obtained, then client's side tokens are fed to AcceptSecurityContext() and data obtained from AcceptSecurityContext() is sent back to client, this keeps on going until the authentication is completed. Once the authentication is completed, the sspictx handle is disposed after taking token with its reference.
I observed (server logs attached) that in case of client connecting via IP address, the NTLM requires only three packets exchange (1st packet from client, second from server, and third again from client), but in case of connecting via 'localhost' or 'domain name', the NTLM based packets exchange goes beyond count of three packets. In this particular case, the sspictx does not get updated as the code expects only one complete loop iteration or the code expects that NTLM does not change the sspictx, which it does. Now, even when NTLM authentication completes successfully, the server fails to acquire the token as it asks NTLM for token by supplying an un-updated sspictx.
The patch fixes the issue by making sure that sspictx is updated with every call to AcceptSecurityContext().
Regards,
Ahmed
Attachment
Re: [BUG] SSPI authentication fails on Windows when server parameter is localhost or domain name
From
Dave Page
Date:
On Wed, Jun 15, 2011 at 10:53 AM, Ahmed Shinwari
<ahmed.shinwari@gmail.com> wrote:
> Hi All,
>
> I faced a bug on Windows while connecting via SSPI authentication. I was
> able to find the bug and have attached the patch. Details listed below;
>
> Postgres Installer: Version 9.0.4
> OS: Windows Server 2008 R2/Windows 7
>
> Bug Description:
> =============
> If database Server is running on Windows ('Server 2008 R2' or 'Windows 7')
> with authentication mode SSPI and one try to connect from the same machine
> via 'psql' with server parameter as 'localhost' or 'fully qualified domain
> name', the database throws error;
I've been able to reproduce this issue, and the patch does indeed fix
it. One of our customers has also confirmed it fixed it for them.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: [BUG] SSPI authentication fails on Windows when server parameter is localhost or domain name
From
Thom Brown
Date:
On 15 June 2011 12:16, Dave Page <dpage@pgadmin.org> wrote:
> On Wed, Jun 15, 2011 at 10:53 AM, Ahmed Shinwari
> <ahmed.shinwari@gmail.com> wrote:
>> Hi All,
>>
>> I faced a bug on Windows while connecting via SSPI authentication. I was
>> able to find the bug and have attached the patch. Details listed below;
>>
>> Postgres Installer: Version 9.0.4
>> OS: Windows Server 2008 R2/Windows 7
>>
>> Bug Description:
>> =============
>> If database Server is running on Windows ('Server 2008 R2' or 'Windows 7')
>> with authentication mode SSPI and one try to connect from the same machine
>> via 'psql' with server parameter as 'localhost' or 'fully qualified domain
>> name', the database throws error;
>
> I've been able to reproduce this issue, and the patch does indeed fix
> it. One of our customers has also confirmed it fixed it for them.
I can confirm this affects versions back to 8.3.
--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: [BUG] SSPI authentication fails on Windows when server parameter is localhost or domain name
From
Robert Haas
Date:
On Fri, Jun 17, 2011 at 6:32 AM, Thom Brown <thom@linux.com> wrote:
> On 15 June 2011 12:16, Dave Page <dpage@pgadmin.org> wrote:
>> On Wed, Jun 15, 2011 at 10:53 AM, Ahmed Shinwari
>> <ahmed.shinwari@gmail.com> wrote:
>>> Hi All,
>>>
>>> I faced a bug on Windows while connecting via SSPI authentication. I was
>>> able to find the bug and have attached the patch. Details listed below;
>>>
>>> Postgres Installer: Version 9.0.4
>>> OS: Windows Server 2008 R2/Windows 7
>>>
>>> Bug Description:
>>> =============
>>> If database Server is running on Windows ('Server 2008 R2' or 'Windows 7')
>>> with authentication mode SSPI and one try to connect from the same machine
>>> via 'psql' with server parameter as 'localhost' or 'fully qualified domain
>>> name', the database throws error;
>>
>> I've been able to reproduce this issue, and the patch does indeed fix
>> it. One of our customers has also confirmed it fixed it for them.
>
> I can confirm this affects versions back to 8.3.
Seems like we'd better try to get this committed before the next set
of minor releases (and ideally also before 9.1beta3).
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Re: [BUG] SSPI authentication fails on Windows when server parameter is localhost or domain name
From
Magnus Hagander
Date:
On Wed, Jun 15, 2011 at 10:53, Ahmed Shinwari <ahmed.shinwari@gmail.com> wrote: > Hi All, > > I faced a bug on Windows while connecting via SSPI authentication. I was > able to find the bug and have attached the patch. Details listed below; > > Postgres Installer: Version 9.0.4 > OS: Windows Server 2008 R2/Windows 7 <big snip> Thanks - great analysis! However, I think there is a better fix for this - simply moving a } one line. In particular, I'm concerned about passing the same pointer both as input and output to the function - I couldn't find anything in the documentation saying this was safe (nor did I find anything saying it's unsafe, but.) Especially since this code clearly behaves different on different versions - I've been completely unable to reproduce this on any of my test machines, but they are all Windows Server 2003. So - attached is a new version of the patch, how does this look to you? FYI, I've had Thom test this new version and it does appear to work fine in his scenario. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Attachment
Re: [BUG] SSPI authentication fails on Windows when server parameter is localhost or domain name
From
Ahmed Shinwari
Date:
Hi,<br /><br />My apologies for a very late reply.<br /><br />I agree the fix you applied is a better one. I have verifiedthe fix by testing the 'postgresql-9.1.1-1-windows-x64' installer.<br /><br />Thank you.<br /><br /><br /><div class="gmail_quote">On Thu, Jul 14, 2011 at 7:23 PM, Magnus Hagander <span dir="ltr"><<a href="mailto:magnus@hagander.net">magnus@hagander.net</a>></span>wrote:<br /><blockquote class="gmail_quote" style="margin:00 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Wed, Jun 15, 2011 at 10:53, AhmedShinwari <<a href="mailto:ahmed.shinwari@gmail.com">ahmed.shinwari@gmail.com</a>> wrote:<br /> > Hi All,<br/> ><br /> > I faced a bug on Windows while connecting via SSPI authentication. I was<br /> > able to findthe bug and have attached the patch. Details listed below;<br /> ><br /> > Postgres Installer: Version 9.0.4<br/> > OS: Windows Server 2008 R2/Windows 7<br /><br /></div><big snip><br /><br /> Thanks - great analysis!<br/><br /> However, I think there is a better fix for this - simply moving a }<br /> one line. In particular, I'mconcerned about passing the same pointer<br /> both as input and output to the function - I couldn't find anything in<br/> the documentation saying this was safe (nor did I find anything saying<br /> it's unsafe, but.) Especially sincethis code clearly behaves<br /> different on different versions - I've been completely unable to<br /> reproduce thison any of my test machines, but they are all Windows<br /> Server 2003.<br /><br /> So - attached is a new version ofthe patch, how does this look to<br /> you? FYI, I've had Thom test this new version and it does appear to<br /> work finein his scenario.<br /><font color="#888888"><br /><br /> --<br /> Magnus Hagander<br /> Me: <a href="http://www.hagander.net/"target="_blank">http://www.hagander.net/</a><br /> Work: <a href="http://www.redpill-linpro.com/"target="_blank">http://www.redpill-linpro.com/</a><br /></font><br /><br /> --<br />Sent via pgsql-hackers mailing list (<a href="mailto:pgsql-hackers@postgresql.org">pgsql-hackers@postgresql.org</a>)<br/> To make changes to your subscription:<br/><a href="http://www.postgresql.org/mailpref/pgsql-hackers" target="_blank">http://www.postgresql.org/mailpref/pgsql-hackers</a><br/><br /></blockquote></div><br /><br clear="all" /><br/>-- <br />Ahmed Shinwari<br />EnterpriseDB Corporation : <a href="http://www.enterprisedb.com/" target="_blank">www.enterprisedb.com</a><br/>The Enterprise Postgres Company<br /><br /><br />