Re: Two factor authentication for Oracle Database?

From: Craig Hagan <hagan_at_cih.com>
Date: Thu, 3 Dec 2015 15:25:01 -0500
Message-ID: <CAFk4TtX=XXa=yt+eEB2mW0Bh+ui1pf1BqW+jC75fYo6uUD3bhQ_at_mail.gmail.com>

can't recall if we had advanced security, I am pretty sure we did.

If there is enough interest, I'd be willing to find some time to clean up my code and make it available. OTOH, I'm pretty sure that freeradius now supports two factor. (it is nice being able to run it from a very tiny device w/o problem)

On Thu, Dec 3, 2015 at 3:21 PM, Jeff Chirco <backseatdba_at_gmail.com> wrote:

> Yeah I think it does. We were thinking of implement two-factor
> authentication to the database but only for DBA's. So as long as use a
> separate sqlnet file this should work. And this assumes you have the
> Advanced Security optoin right?
>
> Thank you.
>
> On Thu, Dec 3, 2015 at 11:29 AM, Andy Wattenhofer <watt0012_at_umn.edu>
> wrote:
>
>> The vendor product I have experience with is SafeWord. It is similar to
>> SecurID in that they give users "tokens" that generate the one-time
>> passwords.
>>
>> It is important to note that these are only for authentication. It is
>> like swapping out the internal authentication mechanism of the OS or DBMS
>> for an external, two-factor one. So after the user is authenticated, the OS
>> or DBMS does its normal thing and creates a user session.
>>
>> In the case of Linux, a PAM is installed for user authentication via
>> RADIUS. After authenticating, users are dropped into a regular ol' shell.
>> Every new session requires a new authentication just as with standard Linux
>> authentication.
>>
>> In Oracle DBMS, RADIUS configs are added to sqlnet.ora so that it may be
>> used as an external authentication service. Within the database, for users
>> created "identified externally," authentication is handed off to the RADIUS
>> central auth hub. Upon successful authentication, the user is dropped into
>> a regular ol' Oracle session.
>>
>> Make sense?
>>
>> Andy
>>
>> On Thu, Dec 3, 2015 at 11:15 AM, Jeff Chirco <backseatdba_at_gmail.com>
>> wrote:
>>
>>> Andy, are you saying that your Windows account or Linux account is setup
>>> with two-factor using SecureID? But if Oracle is identified externally,
>>> isn't that basically single sign-on?
>>>
>>> On Mon, Nov 30, 2015 at 9:36 AM, Andy Wattenhofer <watt0012_at_umn.edu>
>>> wrote:
>>>
>>>> I have implemented two-factor with a token system like SecurID and with
>>>> Duo. Both use RADIUS external authentication, so if you've implemented that
>>>> then you know everything you need to know. All Oracle users are "identified
>>>> externally," and their passwords are the individual's enterprise password
>>>> concatenated with the token value. You do not need Advanced Security option
>>>> for this.
>>>>
>>>> Andy
>>>>
>>>> On Mon, Nov 30, 2015 at 10:04 AM, Mark J. Bobak <mark_at_bobak.net> wrote:
>>>>
>>>>> Thanks Ilmar, I'll take a look at that. Much appreciated!
>>>>>
>>>>> On Mon, Nov 30, 2015, 10:46 Ilmar Kerm <ilmar.kerm_at_gmail.com> wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> When I implemented Radius login for our databases, I noticed that the
>>>>>> manual also talked about using Radius for two-factor authentication:
>>>>>> http://docs.oracle.com/cd/E25054_01/network.1111/e10746/asoradus.htm
>>>>>> Example: Synchronous Authentication with SecurID Token Cards
>>>>>>
>>>>>> Ilmar
>>>>>>
>>>>>> On Mon, Nov 30, 2015 at 4:32 PM, Mark J. Bobak <mark_at_bobak.net>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> Has anyone ever configured two-factor authentication for Oracle DB
>>>>>>> login? Is it even possible? Part of Advanced Security or maybe Identity
>>>>>>> Managrment?
>>>>>>>
>>>>>>> I've just started Google searching, but there doesn't seem to be
>>>>>>> much out there.
>>>>>>>
>>>>>>> -Mark
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ilmar Kerm
>>>>>>
>>>>>
>

-- 
          .-    ... . -.-. .-. . -    -- . ... ... .- --. .

                            Craig I. Hagan
                           hagan(at)cih.com

*‘I do not love the bright sword for its sharpness, nor the arrow for its
swiftness, **nor the warrior for his glory. I love only that which they
defend.’ *
*       - Faramir from J. R. R. Tolkien's The Lord of the Rings*

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Dec 03 2015 - 21:25:01 CET

This message: [ Message body ]
Next message: Alfredo Abate: "Re: Protecting production from "us""
Previous message: Herring, David: "RE: Protecting production from "us""
Maybe in reply to: Jeff Chirco: "Re: Two factor authentication for Oracle Database?"
Next in thread: Andy Wattenhofer: "Re: Two factor authentication for Oracle Database?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message