|Two-factor authentication software [message #683172]
|Wed, 09 December 2020 19:55
Registered: September 2018
FCBVaullt software http://www.oracleongpu.com/fcbvault/ provides possibility to have two-factor authentication (2FA hereafter) for Oracle database: version 11g or higher; EE, SE or XE edition; on-premises or cloud based. 2FA usage via FCBVault adds yet one protection level to your database.
Oracle 2FA solution market could be separated on two parts:
For both cases cons. are: either extra money cost plus over-engineering or internet/cell phone dependence plus the same over-engineering.
Unlike examples from above all you need, to use FCBVault, is to install GNU Privacy Guard https://gnupg.org/(GnuPG hereafter). It’s a free software. GnuPG is available for major Linux/UNIX distributions. Sure you need Oracle database as well. Generally you don’t need to modify existing applications to use FCBVault. You can consider FCBVault as a launcher for your existing software with a target to pass database 2FA.
How FCBVault works
Main idea: there is no trust to whoever connects to the Oracle database under average user account credentials only, but to trust to combination of user account credentials and authenticated software that is used in order to connect. As example I will use SQL*Plus standard Oracle utility. So you create, via GnuPG, a pair of password protected keys, i.e. secret and public key, for user/group who launches software connecting to database from application host. You export those keys and import them into GnuPG key storage on database host. You remove key password on database host. Next you run not SQL*Plus utility directly from application host, but a "shell" for it. Let’s call that "shell" sqlplus.sh. sqlplus.sh’s target is to initiate 2FA and, in case of 2FA passing, to call real SQL*Plus utility to connect to the database under real user account. So there are main steps:
- database allows connection for proxy user (with lowest level of privileges) only and, until 2FA is not passed, prohibits all other non-privileged user connections. That is implemented via “after logon” SYS schema trigger.
- sqlplus.sh connects to the database, from application host via proxy user, and sends: real user connection credentials, GnuPG user/group key identifier (email for example) and a request to start up 2FA.
- database calls GnuPG to generate an one-time session passphrase for received GnuPG user/group key identifier, encode the passphrase and sends that passphrase to sqlplus.sh back. If keys for GnuPG user/group key identifier on database host are expired, locked or missed, 2FA passing is impossible.
- sqlplus.sh receives encoded one-time session passphrase, requests password interactively for GnuPG user/group key identifier (it’s not a mandatory thing: password can be entered in silent auto mode) via GnuPG, decodes passphrase via GnuPG, doubles passphrase, re-encode doubled passphrase via GnuPG and starts real SQL*Plus. SQL*Plus connects under the same proxy user credentials and sends doubled one-time session re-encoded passphrase, its process id and parent process id to the database.
- database part of FCBVault decodes doubled one-time session re-encoded passphrase via GnuPG for GnuPG user/group key identifier. If decoding is successful SQL*Plus gets notification, reconnects to the database under real user credentials and passes successfully through “after logon” SYS schema trigger.
It's a free software.
Package for download contains examples how to GnuPG keys and how to run sqlplus.sh shell utility.
Your questions and feedbacks are welcome.