| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Ramesh Reddy <rareddy(at)redhat(dot)com>, Lindsay Stevens <lindsay(dot)stevens(dot)au(at)gmail(dot)com>, pgsql-odbc(at)postgresql(dot)org |
| Subject: | Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable? |
| Date: | 2015-07-24 19:53:35 |
| Message-ID: | 55B297BF.4010000@iki.fi |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-odbc |
On 07/24/2015 08:56 PM, Ramesh Reddy wrote:
> Thanks you Lindsay.
>
> The root of the question after delving little bit more, we did not
> find any properties to enable "Mutual Authentication" when using
> GSSAPI with Windows ODBC driver. Can this be added to the code?
psqlodbc uses libpq for authentication, so this is really a generic
libpq issue. Looking at the libpq code, it will actually always request
mutual authentication (by passing the GSS_C_MUTUAL_FLAG flag to
gss_init_sec_context), but it doesn't check the returned flags to ensure
that it got it. Which actually makes sense because there's a bigger
problem anyway: if the server doesn't request authentication at all,
libpq will happily just connect. The only way you can authenticate the
server is by using SSL, and using sslmode=verify-full or sslmode=verify-ca.
Yeah, it would be nice to do something about that. Patches to libpq are
welcome.
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jens Sorensen (Intuii) | 2015-07-25 11:20:54 | PSQLODBC.DLL - The (maximum) expected data length is 8000, while the returned data length is 9606. |
| Previous Message | Ramesh Reddy | 2015-07-24 17:56:28 | Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable? |