1748255 Members
3978 Online
108760 Solutions
New Discussion юеВ

Re: Kerberos

 
Brian Gebhard
Occasional Advisor

Kerberos

I have Oracle 7.3.4.4.1 installed on HP-unix 10.20. I am looking to set up NT authentication. I have heard of kerberos. Any opinions which is the best for. Where do I find kerberos or whichever one you think is better? We do plan on upgrading but not for at least 4-6 months. So I will need something that will work on 7.3.4 oracle and then on 8.1.6.
4 REPLIES 4
Alexander M. Ermes
Honored Contributor

Re: Kerberos

Hi there.
You can go for external authentication of users in the database. If you do a create user identified externally your user will be able to connect directly to the database. Please check this possibility in the Oracle documentation. Then the user administration will be on the NT side. But you have to be sure, that there are no violations like handing userid's and passwords to other users.
Rgds
Alexander M. Ermes
.. and all these memories are going to vanish like tears in the rain! final words from Rutger Hauer in "Blade Runner"
Alex Glennie
Honored Contributor

Re: Kerberos

& useful general info : here

http://www.kashpureff.org/nic/krb/admin.htm

Kerberos Products on HP-UX

HP-UX supports Kerberos clients with a set of three software packages for HP-UX
11.0 and 11i. These products are: PAM Kerberos, KRB5 Client Software, and the
Generic Security Service Application Programming Interface (GSS-API).

All HP-UX Kerberos products conform to the IETF specification for Kerberos Version
5 and are compliant with IETF RFC 1510.

Application programmers can create "Kerberized" applications using either the
GSS-APIs or Kerberos APIs. However, HP recommends that GSS-APIs be used for
application development. HP provides the following Kerberized applications through
Secure Internet Services (SIS): ftp, rcp, remsh, rlogin, and telnet.




PAM Kerberos Product
Product
Intro.
Date
Description
J5849AA
12/06/00
GSS-API, Kerberos Client are in 11i
core. PAM Kerberos is at 11i
Application CD
J5849AA
12/01/00
GSS-API, Kerberos Client and PAM
Kerberos in AP1200 Dart CD for 11.0
J5849AA
03/01/00
PAM Kerberos in AP0300 Dart CD for
11.0


l
Shannon Petry
Honored Contributor

Re: Kerberos

Kerberos is a very secure implementation of AUTH developed by Sun. The Microsoft implementation is very hacked, and is not as secure as they would like you to believe. If you have real concerns about running Kerberos for Security reasons, buy a small sun (sunblade 100 is less than $2,000.00).

Remember that this will effect Oracle performance greatly, and may not work at all.
Why will it effect performance? The Oracle server will have to move data from the local host, to a remote host for AUTH. Kerberos is very secure, but not the fastest AUTH their is. Kerberos requires key exchange and token exchange prior to performing ANY task.
As it is set up now, oracle AUTH happens locally, so there is absolutely no wait for AUTH (well a couple of system calls wait as opposed to lots of network traffic and system calls).

The other logistics problem that I see is that Oracle will rely now on an external machine as opposed to being self sufficient. Pretty scary!

There are a few web server utilities that can authenticate client's off of NT and using a bit of CGI this could get your users AUTH'ed before hitting your web front ends to oracle.

NOTE: HP says it uses NT for it's global auth, but their the only one I have ever heard of. NT is pretty slow even for AUTH, and not very secure at all. Go to href="http://packetstorm.securify.com" and look at all the nice publicly available security hacks for NT as opposed to HP and SunOS.

Look also at how MS implemented Sun's Kerberos. It is not very different from NT4's mechs...

Regards,
Shannon
Microsoft. When do you want a virus today?
Brian Gebhard
Occasional Advisor

Re: Kerberos

Sorry Alexander I must not have made myself clear. When I said that I was looking to set up NT Authentication, I was already aware of setting up a user as identified externally. My problem comes when I look at the oracle documentation it mentions oracle using kerberos or other security services on the Unix side. But not much detail on what they are and how they need to be configured.

Thanks Alex, but I currently have hp 10.20. I must first set it up on that, then after we upgrade in a few months set it up on hp 11.0. I've heard kerberos v5 is for hp 11.0 not for hp 10.20.

Shannon, thanks for you input on the oracle side. I had not realized that external authentication would affect performance that much.

Let me try to add to what I need to know now. I am looking into setting up external authentication, using nt authentication. Oracle documentation is vague on what needs to be done on the unix side. It mentions briefly kerberos or other security services like it must be installed and configured. I have hp 10.20 at the moment. There is no kerberos installed on our box. What security services would be installed that Oracle would use? Is PAM the same thing as kerberos, just an earlier version? The reason why I was asking about kerberos was because the document I downloaded from Oracle said to install kerberos, but never said where to get it from or what it is. If there is something else that I could use instead that is already on the box, I would prefer to do that. So please help with the following questions:

1. What security services would be installed that Oracle would use other than Kerberos?
2. Is PAM the same thing as kerberos, just an earlier version?
3. Has anyone else set up external authentication using NT Authentication on HP-Unix 10.20? If so what all should I be concerned with and what documentation did you use?