FCBVaullt software provides possibility to have two-factor authentication (2FA hereafter) for Oracle database: version 11g or higher; EE, SE or XE edition; on-premises or cloud based. 2FA usage via FCBVault adds yet one protection level to your database. FCBVaullt software is a free software.
Oracle 2FA solution market could be separated on two parts:
- internet/cell phone dependent solutions like https://www.dbarj.com.br/en/oratotp-oracle-time-based-one-time-password/, CISCO Duo etc.
- enterprise solutions like described in https://blog.pythian.com/oracle-database-and-two-factor-authentication-2fa/, i.e. RADIUS server, CISCO Duo and so on
For both cases cons. are: either extra money plus over-engineering or internet/cell phone dependence plus the same over-engineering.
Unlike examples from above, all you need, to use FCBVault, is to install GNU Privacy Guard (GnuPG hereafter). It’s a free software. GnuPG is available for major Linux/UNIX distributions. Sure you need Oracle database as well. Generally you don’t need to modify existing applications to use FCBVault. You can consider FCBVault as a launcher of your existing software with a target to pass database 2FA.
How FCBVault works
Main idea: there is no trust to whoever connects to the Oracle database under average user account credentials only, but to trust to combination of user account credentials and authenticated software that is used in order to connect. As example I will use standard Oracle SQL*Plus utility. So you create, via GnuPG, a pair of password protected keys, i.e. secret and public key, for user/group who launches software connecting to database from application host. You export those keys and import them into GnuPG key storage on database host. You remove key password on database host. Next you run not SQL*Plus utility directly from application host, but a “shell” for it. Let’s call that “shell” sqlplus.sh. sqlplus.sh’s target is to initiate 2FA and, in case of 2FA passing, to call real SQL*Plus utility to connect to the database under real user account. So there are main steps:
- database allows connection for proxy user (with lowest level of privileges) only and, until 2FA is not passed, prohibits all other non-privileged user connections. That is implemented via “after logon” SYS schema trigger.
- sqlplus.sh connects to the database, from application host via proxy user, and sends: real user connection credentials, GnuPG user/group key identifier (email for example) and a request to start up 2FA.
- database calls GnuPG to generate an one-time session passphrase for received GnuPG user/group key identifier, encode the passphrase and sends that passphrase to sqlplus.sh back. If keys for GnuPG user/group key identifier on database host are expired, locked or missed, 2FA passing is impossible.
- sqlplus.sh receives encoded one-time session passphrase, requests password interactively for GnuPG user/group key identifier (it’s not a mandatory thing: password can be entered in silent auto mode) via GnuPG, decodes passphrase via GnuPG, doubles passphrase, re-encode doubled passphrase via GnuPG and starts real SQL*Plus. SQL*Plus connects under the same proxy user credentials and sends doubled one-time session re-encoded passphrase, its process id and parent process id to the database.
- database part of FCBVault decodes doubled one-time session re-encoded passphrase via GnuPG for GnuPG user/group key identifier. If decoding is successful SQL*Plus gets notification, reconnects to the database under real user credentials and passes successfully through “after logon” SYS schema trigger.
- UNIX like operating system
- Oracle 11g or higher with available Java subsystem
- GnuPG v.2.0.20 or higher
- Software wasn’t tested on Windows platform
- Software should work on AIX and HP-UX
- Software was tested on Linux and Solaris
- Software was tested on Oracle 11g , 12c and 19c. EE and SE editions.
- Dec 09, 2020. initial 443 build released.
- version: 2.24.443 size: 318 Kbytes md5: 8563d8097e28492290467f8415308cca
Questions? Propositions? Comments? Let me know what you think via emai