Hi all,
I installed PostgreSQL 9.3 on a Windows Server 2012 and I have
configured it to use SSPI authentication. The client is on a Windows 7
machine and make the connections via ODBC using a DSN with psqlodbc driver
version 9.03.04.00. Authentication works in this scenario for the user
authenticated in the client machine. I am always using the same user for
connections.
I used Wireshark in the configuration phase to analyze the traffic
between the server and the client. It looks to me that in the
authentication phase, the client always sends the same service ticket to
postgresql server when a new connection is created, even when I create a
new DSN pointing to the same server, it keeps sending the same service
ticket.
Analyzing the source code, in the file src/backend/libpq/auth.c looks
like the server is not checking if the service ticket is reused:
r = AcceptSecurityContext(&sspicred,
sspictx,
&inbuf,
ASC_REQ_ALLOCATE_MEMORY,
SECURITY_NETWORK_DREP,
&newctx,
&outbuf,
&contextattr,
NULL);
The fourth parameter is not using the ASC_REQ_REPLAY_DETECT flag.
Am I misunderstanding something or is this the expected behavior? This
not means a replay attack risk? I think that if SSL is not used by the
connection, a malicious user could capture the authentication package which
the client service ticket and then reuse it.
Thanks in advance
--
