ACCSECRD packet

The ACCSECRD (Access Security Reply Data) packet is sent by the server as part of the authentication process, in response to an ACCSEC request. It contains information about encryption and security, and should not be modified, except by advanced users.

Properties

• SECMEC [List<int>]: the code for the security mechanism(s); one or more numbers indicating the security mechanism(s) the server accepts.

• SECMECstring [string]: a string containing the comma-separated values of SECMEC, decoded. Read-only.
  For instance: USRIDPWD, USRIDNWPWD

• SECMECfull [string]: a string containing the comma-separated values of SECMEC, decoded verbosely. Read-only.
  For instance: USRIDPWD - User ID and Password Security Mechanism, USRIDNWPWD - User ID, Password, and New Password Security Mechanism

• addSECMEC(int): make sure that SECMEC includes the provided code

• removeSECMEC(int): make sure SECMEC does not include the provided code

Valid values for SECMEC are:

• • 1: DCESEC - Distributed Computing Environment

  • 3: USRIDPWD - User ID and Password Security Mechanism

  • 4: USRIDONL - User ID Only Security Mechanism

  • 5: USRIDNWPWD - User ID, Password, and New Password Security Mechanism

  • 6: USRSBSPWD - User ID with Substitute Password

  • 7: USRENCPWD - User ID with Encrypted Password

  • 8: USRSSBPWD - User ID with Strong Password Substitute

  • 9: EUSRIDPWD - Encrypted User ID and Password Security Mechanism

  • 10: EUSRIDNWPWD - Encrypted User ID, Password, New Password Security Mechanism

  • 11: KERSEC - Kerberos Security

  • 12: EUSRIDDTA - Encrypted User ID and Security-Sensitive Data Security Mechanism

  • 13: EUSRPWDDTA - Encrypted User ID, Password, and Security-sensitive Data Security Mechanism

  • 14: EUSRNPWDDTA - Encrypted User ID, Password, New Password, and Security-sensitive Data Security Mechanism

  • 15: PLGIN - Plug-in Security

  • 16: EUSRIDONL - Encrypted User ID Only

When this packet is received, the name of the database user is not yet known, therefore filters will not have access to it for this type of packet.

Example

If we wanted to make sure that a connection does change its password, we could make sure that USRIDNWPWD is not in the list with:

log.debug("Security mechanisms that the server accepts: " + context.packet.SECMECstring);

context.packet.removeSECMEC(5);

However, if the server responded with only that one code, we cannot leave the list empty, so we'll also make sure the list contains USRIDPWD:

context.packet.removeSECMEC(5);

context.packet.addSECMEC(3);