Thread: Fwd: SSPI authentication ASC_REQ_REPLAY_DETECT flag
Hi all,
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have configured it to use SSPI authentication. The client is on a Windows 7 machine and make the connections via ODBC using a DSN with psqlodbc driver version 9.03.04.00. Authentication works in this scenario for the user authenticated in the client machine. I am always using the same user for connections.
I used Wireshark in the configuration phase to analyze the traffic between the server and the client. It looks to me that in the authentication phase, the client always sends the same service ticket to postgresql server when a new connection is created, even when I create a new DSN pointing to the same server, it keeps sending the same service ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This not means a replay attack risk? I think that if SSL is not used by the connection, a malicious user could capture the authentication package which the client service ticket and then reuse it.
Thanks in advance
--
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have configured it to use SSPI authentication. The client is on a Windows 7 machine and make the connections via ODBC using a DSN with psqlodbc driver version 9.03.04.00. Authentication works in this scenario for the user authenticated in the client machine. I am always using the same user for connections.
I used Wireshark in the configuration phase to analyze the traffic between the server and the client. It looks to me that in the authentication phase, the client always sends the same service ticket to postgresql server when a new connection is created, even when I create a new DSN pointing to the same server, it keeps sending the same service ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This not means a replay attack risk? I think that if SSL is not used by the connection, a malicious user could capture the authentication package which the client service ticket and then reuse it.
Thanks in advance
--
--
|
Jacobo, * Jacobo Vazquez (jvazquez@denodo.com) wrote: > Am I misunderstanding something or is this the expected behavior? This > not means a replay attack risk? I think that if SSL is not used by the > connection, a malicious user could capture the authentication package which > the client service ticket and then reuse it. It's not entirely clear to me what you're getting at here, but Kerberos service tickets are *intended* to be re-used up until they are invalid due to their lifetime limit. That's why they have a lifetime. If you don't want them to be reused, make their lifetime very short, but you'll end up creating a huge additional load on your KDC that way for very little gain.. Note that this is entirely independent of a replay attack risk, which is addressed by the resource server checking if the timestamp in the authenticator being provided is the same as the last one (it should be denied if it is). Further, the timestamp in the authenticator has to be within 5 minutes or it'll also be denied. Thanks, Stephen