From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Jacobo Vazquez <jvazquez(at)denodo(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Fwd: SSPI authentication ASC_REQ_REPLAY_DETECT flag |
Date: | 2015-04-01 01:06:26 |
Message-ID: | 20150401010625.GO3663@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers pgsql-odbc |
Jacobo,
* Jacobo Vazquez (jvazquez(at)denodo(dot)com) wrote:
> Am I misunderstanding something or is this the expected behavior? This
> not means a replay attack risk? I think that if SSL is not used by the
> connection, a malicious user could capture the authentication package which
> the client service ticket and then reuse it.
It's not entirely clear to me what you're getting at here, but Kerberos
service tickets are *intended* to be re-used up until they are invalid
due to their lifetime limit. That's why they have a lifetime. If you
don't want them to be reused, make their lifetime very short, but you'll
end up creating a huge additional load on your KDC that way for very
little gain..
Note that this is entirely independent of a replay attack risk, which is
addressed by the resource server checking if the timestamp in the
authenticator being provided is the same as the last one (it should be
denied if it is). Further, the timestamp in the authenticator has to be
within 5 minutes or it'll also be denied.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2015-04-01 02:08:37 | Re: Why does CREATE INDEX CONCURRENTLY need two scans? |
Previous Message | Joshua Ma | 2015-04-01 00:43:39 | Why does CREATE INDEX CONCURRENTLY need two scans? |
From | Date | Subject | |
---|---|---|---|
Next Message | Kyotaro HORIGUCHI | 2015-04-01 01:14:27 | Re: How about to have relnamespace and relrole? |
Previous Message | Tom Lane | 2015-04-01 00:42:08 | Something is rotten in the state of Denmark... |
From | Date | Subject | |
---|---|---|---|
Next Message | Devrim Gündüz | 2015-04-01 09:11:07 | Re: RPM meta package |
Previous Message | Adrian Klaver | 2015-03-31 22:07:31 | Re: RPM meta package |