Thread: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?
When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?
From
dsteigne@redhat.com
Date:
We need mutual authentication via ODBC, looking into the psqlODBC driver to find where the Kerberos connection was gettingcreated. Here in sspisvcs.c the PerformKerberosEtcClientHandshake contains the set of SSPI flags being set on therequest (held in the dwSSPIFlags variable). This set is missing the flag required for mutual authentication (ISC_REQ_MUTUAL_AUTH). Can this be added to your ODBC driver? -- Regards, Debbie Steigner Red Hat Global Support Services Principal Technical Support Engineer
Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?
From
Ramesh Reddy
Date:
Has any one have working solution that has kerberos authentication working on windows based pg-odbc driver? We believe thebelow flag is required for it to work correctly, can anybody weigh in options we have in terms of setting this flag without code modification. We are also looking to build locally to verify the solution. Thanks Ramesh.. ----- Original Message ----- > We need mutual authentication via ODBC, looking into the psqlODBC driver to > find where the Kerberos connection was getting created. Here in sspisvcs.c > the PerformKerberosEtcClientHandshake contains the set of SSPI flags being > set on the request (held in the dwSSPIFlags variable). > This set is missing the flag required for mutual authentication > (ISC_REQ_MUTUAL_AUTH). Can this be added to your ODBC driver? > > -- > Regards, > Debbie Steigner > Red Hat Global Support Services > Principal Technical Support Engineer > > > > -- > Sent via pgsql-odbc mailing list (pgsql-odbc@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-odbc >
Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?
From
Ramesh Reddy
Date:
Thanks you Lindsay.
The root of the question after delving little bit more, we did not find any properties to enable "Mutual Authentication" when using GSSAPI with Windows ODBC driver. Can this be added to the code?
Thanks
Ramesh..
I have pg-odbc working with Windows sspi authentication. There is a guide online [1] that describes the key element: you need to run the postgres service as a domain user that you've registered as a security principal for that machine. If you need a service name other than POSTGRES there is a GUC setting for krbsrvname; set that and a corresponding SPN.
The only weird behaviour I've noticed is that looking at security events in Windows event manager, after some time the client kerberos authentication reverts to NTLMv1. I suspect that might be a problem between the pg domain user and AD though.
Also, connections never seem to pool but there's probably a good security reason for that.
[1] https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows
On 22 Jul 2015 1:12 am, "Ramesh Reddy" <rareddy@redhat.com> wrote:Has any one have working solution that has kerberos authentication working on windows based pg-odbc driver? We believe the below flag is required for it to work correctly, can anybody weigh in options we have in terms of setting this flag with out code modification. We are also looking to build locally to verify the solution.
Thanks
Ramesh..
----- Original Message -----
> We need mutual authentication via ODBC, looking into the psqlODBC driver to
> find where the Kerberos connection was getting created. Here in sspisvcs.c
> the PerformKerberosEtcClientHandshake contains the set of SSPI flags being
> set on the request (held in the dwSSPIFlags variable).
> This set is missing the flag required for mutual authentication
> (ISC_REQ_MUTUAL_AUTH). Can this be added to your ODBC driver?
>
> --
> Regards,
> Debbie Steigner
> Red Hat Global Support Services
> Principal Technical Support Engineer
>
>
>
> --
> Sent via pgsql-odbc mailing list (pgsql-odbc@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-odbc
>
--
Sent via pgsql-odbc mailing list (pgsql-odbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-odbc
Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?
From
Heikki Linnakangas
Date:
On 07/24/2015 08:56 PM, Ramesh Reddy wrote: > Thanks you Lindsay. > > The root of the question after delving little bit more, we did not > find any properties to enable "Mutual Authentication" when using > GSSAPI with Windows ODBC driver. Can this be added to the code? psqlodbc uses libpq for authentication, so this is really a generic libpq issue. Looking at the libpq code, it will actually always request mutual authentication (by passing the GSS_C_MUTUAL_FLAG flag to gss_init_sec_context), but it doesn't check the returned flags to ensure that it got it. Which actually makes sense because there's a bigger problem anyway: if the server doesn't request authentication at all, libpq will happily just connect. The only way you can authenticate the server is by using SSL, and using sslmode=verify-full or sslmode=verify-ca. Yeah, it would be nice to do something about that. Patches to libpq are welcome. - Heikki