Re: Two factor authentication for Oracle Database?

From: Andy Wattenhofer <watt0012_at_umn.edu>
Date: Thu, 3 Dec 2015 13:29:12 -0600
Message-ID: <CAFU3ey6q05B5ZZTKagoPb2D2GEM++it1qbUsL4YCJ4oEnkE9qA_at_mail.gmail.com>

The vendor product I have experience with is SafeWord. It is similar to SecurID in that they give users "tokens" that generate the one-time passwords.

It is important to note that these are only for authentication. It is like swapping out the internal authentication mechanism of the OS or DBMS for an external, two-factor one. So after the user is authenticated, the OS or DBMS does its normal thing and creates a user session.

In the case of Linux, a PAM is installed for user authentication via RADIUS. After authenticating, users are dropped into a regular ol' shell. Every new session requires a new authentication just as with standard Linux authentication.

In Oracle DBMS, RADIUS configs are added to sqlnet.ora so that it may be used as an external authentication service. Within the database, for users created "identified externally," authentication is handed off to the RADIUS central auth hub. Upon successful authentication, the user is dropped into a regular ol' Oracle session.

Make sense?

Andy

On Thu, Dec 3, 2015 at 11:15 AM, Jeff Chirco <backseatdba_at_gmail.com> wrote:

> Andy, are you saying that your Windows account or Linux account is setup
> with two-factor using SecureID? But if Oracle is identified externally,
> isn't that basically single sign-on?
>
> On Mon, Nov 30, 2015 at 9:36 AM, Andy Wattenhofer <watt0012_at_umn.edu>
> wrote:
>
>> I have implemented two-factor with a token system like SecurID and with
>> Duo. Both use RADIUS external authentication, so if you've implemented that
>> then you know everything you need to know. All Oracle users are "identified
>> externally," and their passwords are the individual's enterprise password
>> concatenated with the token value. You do not need Advanced Security option
>> for this.
>>
>> Andy
>>
>> On Mon, Nov 30, 2015 at 10:04 AM, Mark J. Bobak <mark_at_bobak.net> wrote:
>>
>>> Thanks Ilmar, I'll take a look at that. Much appreciated!
>>>
>>> On Mon, Nov 30, 2015, 10:46 Ilmar Kerm <ilmar.kerm_at_gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> When I implemented Radius login for our databases, I noticed that the
>>>> manual also talked about using Radius for two-factor authentication:
>>>> http://docs.oracle.com/cd/E25054_01/network.1111/e10746/asoradus.htm
>>>> Example: Synchronous Authentication with SecurID Token Cards
>>>>
>>>> Ilmar
>>>>
>>>> On Mon, Nov 30, 2015 at 4:32 PM, Mark J. Bobak <mark_at_bobak.net> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> Has anyone ever configured two-factor authentication for Oracle DB
>>>>> login? Is it even possible? Part of Advanced Security or maybe Identity
>>>>> Managrment?
>>>>>
>>>>> I've just started Google searching, but there doesn't seem to be much
>>>>> out there.
>>>>>
>>>>> -Mark
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ilmar Kerm
>>>>
>>>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Dec 03 2015 - 20:29:12 CET

This message: [ Message body ]
Next message: Oleksandr Denysenko: "Re: unable to put database in archivelog mode"
Previous message: Stephens, Chris: "RE: unable to put database in archivelog mode"
In reply to: Jeff Chirco: "Re: Two factor authentication for Oracle Database?"
Next in thread: Craig Hagan: "Re: Two factor authentication for Oracle Database?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message