Hi guys,
Finally follwoing up here, as I am now at the point where I'm actually
trying to do this.
I'm running RHEL 7.2, downloaded freeradius 3.0.10, and the latest
google-authenticator from github.
I'm trying to get freeradius and PAM to work (my understanding is that the
two-factor auth is implemented via PAM), but it seems like there are pieces
missing. My freeradius installation doesn't have a
/usr/local/etc/raddb/mods-enabled/pam file, for example. Is there a build
time option to configure that needs to be set, like '--include-pam', or
something like that? I looked at options to configure, didn't see
anything. Any idea why the PAM module isn't enabled in my freeradius build?
Thanks,
-Mark
PS Yes, I realize this question is a departure from Oracle, but the goal
is to get it to work with Oracle, and some folks on this list have said
they've gotten it work, so.... :-)
On Thu, Dec 3, 2015 at 11:42 PM, Oracle-L <backseatdba@xxxxxxxxx> wrote:
I would be interested.
Sent from my iPhone
On Dec 3, 2015, at 12:25 PM, Craig Hagan <hagan@xxxxxxx> wrote:
can't recall if we had advanced security, I am pretty sure we did.
If there is enough interest, I'd be willing to find some time to clean up
my code and make it available. OTOH, I'm pretty sure that freeradius now
supports two factor. (it is nice being able to run it from a very tiny
device w/o problem)
On Thu, Dec 3, 2015 at 3:21 PM, Jeff Chirco <backseatdba@xxxxxxxxx> wrote:
Yeah I think it does. We were thinking of implement two-factor
authentication to the database but only for DBA's. So as long as use a
separate sqlnet file this should work. And this assumes you have the
Advanced Security optoin right?
Thank you.
On Thu, Dec 3, 2015 at 11:29 AM, Andy Wattenhofer <watt0012@xxxxxxx>
wrote:
The vendor product I have experience with is SafeWord. It is similar to
SecurID in that they give users "tokens" that generate the one-time
passwords.
It is important to note that these are only for authentication. It is
like swapping out the internal authentication mechanism of the OS or DBMS
for an external, two-factor one. So after the user is authenticated, the OS
or DBMS does its normal thing and creates a user session.
In the case of Linux, a PAM is installed for user authentication via
RADIUS. After authenticating, users are dropped into a regular ol' shell.
Every new session requires a new authentication just as with standard Linux
authentication.
In Oracle DBMS, RADIUS configs are added to sqlnet.ora so that it may be
used as an external authentication service. Within the database, for users
created "identified externally," authentication is handed off to the RADIUS
central auth hub. Upon successful authentication, the user is dropped into
a regular ol' Oracle session.
Make sense?
Andy
On Thu, Dec 3, 2015 at 11:15 AM, Jeff Chirco <backseatdba@xxxxxxxxx>
wrote:
Andy, are you saying that your Windows account or Linux account is
setup with two-factor using SecureID? But if Oracle is identified
externally, isn't that basically single sign-on?
On Mon, Nov 30, 2015 at 9:36 AM, Andy Wattenhofer <watt0012@xxxxxxx>
wrote:
I have implemented two-factor with a token system like SecurID and
with Duo. Both use RADIUS external authentication, so if you've
implemented
that then you know everything you need to know. All Oracle users are
"identified externally," and their passwords are the individual's
enterprise password concatenated with the token value. You do not need
Advanced Security option for this.
Andy
On Mon, Nov 30, 2015 at 10:04 AM, Mark J. Bobak <mark@xxxxxxxxx>
wrote:
Thanks Ilmar, I'll take a look at that. Much appreciated!
On Mon, Nov 30, 2015, 10:46 Ilmar Kerm <ilmar.kerm@xxxxxxxxx> wrote:
Hi
When I implemented Radius login for our databases, I noticed that
the manual also talked about using Radius for two-factor authentication:
http://docs.oracle.com/cd/E25054_01/network.1111/e10746/asoradus.htm
Example: Synchronous Authentication with SecurID Token Cards
Ilmar
On Mon, Nov 30, 2015 at 4:32 PM, Mark J. Bobak <mark@xxxxxxxxx>
wrote:
Hi all,
Has anyone ever configured two-factor authentication for Oracle DB
login? Is it even possible? Part of Advanced Security or maybe
Identity
Managrment?
I've just started Google searching, but there doesn't seem to be
much out there.
-Mark
--
Ilmar Kerm
--
.- ... . -.-. .-. . - -- . ... ... .- --. .
Craig I. Hagan
hagan(at)cih.com
*‘I do not love the bright sword for its sharpness, nor the arrow for its
swiftness, **nor the warrior for his glory. I love only that which they
defend.’ *
* - Faramir from J. R. R. Tolkien's The Lord of the Rings*
