can't recall if we had advanced security, I am pretty sure we did.
If there is enough interest, I'd be willing to find some time to clean up
my code and make it available. OTOH, I'm pretty sure that freeradius now
supports two factor. (it is nice being able to run it from a very tiny
device w/o problem)
On Thu, Dec 3, 2015 at 3:21 PM, Jeff Chirco <backseatdba@xxxxxxxxx> wrote:
Yeah I think it does. We were thinking of implement two-factor
authentication to the database but only for DBA's. So as long as use a
separate sqlnet file this should work. And this assumes you have the
Advanced Security optoin right?
Thank you.
On Thu, Dec 3, 2015 at 11:29 AM, Andy Wattenhofer <watt0012@xxxxxxx>
wrote:
The vendor product I have experience with is SafeWord. It is similar to
SecurID in that they give users "tokens" that generate the one-time
passwords.
It is important to note that these are only for authentication. It is
like swapping out the internal authentication mechanism of the OS or DBMS
for an external, two-factor one. So after the user is authenticated, the OS
or DBMS does its normal thing and creates a user session.
In the case of Linux, a PAM is installed for user authentication via
RADIUS. After authenticating, users are dropped into a regular ol' shell.
Every new session requires a new authentication just as with standard Linux
authentication.
In Oracle DBMS, RADIUS configs are added to sqlnet.ora so that it may be
used as an external authentication service. Within the database, for users
created "identified externally," authentication is handed off to the RADIUS
central auth hub. Upon successful authentication, the user is dropped into
a regular ol' Oracle session.
Make sense?
Andy
On Thu, Dec 3, 2015 at 11:15 AM, Jeff Chirco <backseatdba@xxxxxxxxx>
wrote:
Andy, are you saying that your Windows account or Linux account is setup
with two-factor using SecureID? But if Oracle is identified externally,
isn't that basically single sign-on?
On Mon, Nov 30, 2015 at 9:36 AM, Andy Wattenhofer <watt0012@xxxxxxx>
wrote:
I have implemented two-factor with a token system like SecurID and with
Duo. Both use RADIUS external authentication, so if you've implemented that
then you know everything you need to know. All Oracle users are "identified
externally," and their passwords are the individual's enterprise password
concatenated with the token value. You do not need Advanced Security option
for this.
Andy
On Mon, Nov 30, 2015 at 10:04 AM, Mark J. Bobak <mark@xxxxxxxxx> wrote:
Thanks Ilmar, I'll take a look at that. Much appreciated!
On Mon, Nov 30, 2015, 10:46 Ilmar Kerm <ilmar.kerm@xxxxxxxxx> wrote:
Hi
When I implemented Radius login for our databases, I noticed that the
manual also talked about using Radius for two-factor authentication:
http://docs.oracle.com/cd/E25054_01/network.1111/e10746/asoradus.htm
Example: Synchronous Authentication with SecurID Token Cards
Ilmar
On Mon, Nov 30, 2015 at 4:32 PM, Mark J. Bobak <mark@xxxxxxxxx>
wrote:
Hi all,
Has anyone ever configured two-factor authentication for Oracle DB
login? Is it even possible? Part of Advanced Security or maybe
Identity
Managrment?
I've just started Google searching, but there doesn't seem to be
much out there.
-Mark
--
Ilmar Kerm
