Re: Two factor authentication for Oracle Database?

From: Andy Wattenhofer <watt0012_at_umn.edu>
Date: Thu, 3 Dec 2015 15:06:55 -0600
Message-ID: <CAFU3ey467YsmsAyOZo=owVVcS2i1tLG5o82oNVwuD1LZtGAyUw_at_mail.gmail.com>

Oh, and advanced security option is no longer required for RADIUS or Kerberos auth.

On Thu, Dec 3, 2015 at 3:01 PM, Andy Wattenhofer <watt0012_at_umn.edu> wrote:

> Any databases that will be using two-factor *must* have the RADIUS
> parameters in their sqlnet.ora. Use sqlnet.authentication_services
> parameter to support more than one auth service, e.g.
>
> SQLNET.AUTHENTICATION_SERVICES=(BEQ,RADIUS,NONE)
>
>
> Any clients that will be using two-factor *must* have RADIUS as one of
> their auth services in their own sqlnet.ora, as in the above example.
>
> The MOS reference note is 132820.1 Enabling RADIUS Authentication and
> Accounting
> <https://support.oracle.com/epmos/faces/DocumentDisplay?id=132820.1>
>
>
>
> On Thu, Dec 3, 2015 at 2:21 PM, Jeff Chirco <backseatdba_at_gmail.com> wrote:
>
>> Yeah I think it does. We were thinking of implement two-factor
>> authentication to the database but only for DBA's. So as long as use a
>> separate sqlnet file this should work. And this assumes you have the
>> Advanced Security optoin right?
>>
>> Thank you.
>>
>> On Thu, Dec 3, 2015 at 11:29 AM, Andy Wattenhofer <watt0012_at_umn.edu>
>> wrote:
>>
>>> The vendor product I have experience with is SafeWord. It is similar to
>>> SecurID in that they give users "tokens" that generate the one-time
>>> passwords.
>>>
>>> It is important to note that these are only for authentication. It is
>>> like swapping out the internal authentication mechanism of the OS or DBMS
>>> for an external, two-factor one. So after the user is authenticated, the OS
>>> or DBMS does its normal thing and creates a user session.
>>>
>>> In the case of Linux, a PAM is installed for user authentication via
>>> RADIUS. After authenticating, users are dropped into a regular ol' shell.
>>> Every new session requires a new authentication just as with standard Linux
>>> authentication.
>>>
>>> In Oracle DBMS, RADIUS configs are added to sqlnet.ora so that it may be
>>> used as an external authentication service. Within the database, for users
>>> created "identified externally," authentication is handed off to the RADIUS
>>> central auth hub. Upon successful authentication, the user is dropped into
>>> a regular ol' Oracle session.
>>>
>>> Make sense?
>>>
>>> Andy
>>>
>>> On Thu, Dec 3, 2015 at 11:15 AM, Jeff Chirco <backseatdba_at_gmail.com>
>>> wrote:
>>>
>>>> Andy, are you saying that your Windows account or Linux account is
>>>> setup with two-factor using SecureID? But if Oracle is identified
>>>> externally, isn't that basically single sign-on?
>>>>
>>>> On Mon, Nov 30, 2015 at 9:36 AM, Andy Wattenhofer <watt0012_at_umn.edu>
>>>> wrote:
>>>>
>>>>> I have implemented two-factor with a token system like SecurID and
>>>>> with Duo. Both use RADIUS external authentication, so if you've implemented
>>>>> that then you know everything you need to know. All Oracle users are
>>>>> "identified externally," and their passwords are the individual's
>>>>> enterprise password concatenated with the token value. You do not need
>>>>> Advanced Security option for this.
>>>>>
>>>>> Andy
>>>>>
>>>>> On Mon, Nov 30, 2015 at 10:04 AM, Mark J. Bobak <mark_at_bobak.net>
>>>>> wrote:
>>>>>
>>>>>> Thanks Ilmar, I'll take a look at that. Much appreciated!
>>>>>>
>>>>>> On Mon, Nov 30, 2015, 10:46 Ilmar Kerm <ilmar.kerm_at_gmail.com> wrote:
>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> When I implemented Radius login for our databases, I noticed that
>>>>>>> the manual also talked about using Radius for two-factor authentication:
>>>>>>> http://docs.oracle.com/cd/E25054_01/network.1111/e10746/asoradus.htm
>>>>>>> Example: Synchronous Authentication with SecurID Token Cards
>>>>>>>
>>>>>>> Ilmar
>>>>>>>
>>>>>>> On Mon, Nov 30, 2015 at 4:32 PM, Mark J. Bobak <mark_at_bobak.net>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> Has anyone ever configured two-factor authentication for Oracle DB
>>>>>>>> login? Is it even possible? Part of Advanced Security or maybe Identity
>>>>>>>> Managrment?
>>>>>>>>
>>>>>>>> I've just started Google searching, but there doesn't seem to be
>>>>>>>> much out there.
>>>>>>>>
>>>>>>>> -Mark
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Ilmar Kerm
>>>>>>>
>>>>>>
>>
>
>
> --
> Andy Wattenhofer
> Manager, Database Administration
> University of Minnesota
>

-- 
Andy Wattenhofer
Manager, Database Administration
University of Minnesota

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Dec 03 2015 - 22:06:55 CET

This message: [ Message body ]
Next message: Sandra Becker: "Re: Single-column vs composite index"
Previous message: Kevin Jernigan: "Re: securefiles licensing"
Maybe in reply to: Jeff Chirco: "Re: Two factor authentication for Oracle Database?"
Next in thread: Mark J. Bobak: "Re: Two factor authentication for Oracle Database?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message