Oracle Advanced Security Option and Kerberos

Theodore Ts'o tytso at MIT.EDU
Fri Feb 24 12:31:10 EST 2006 

On Fri, Feb 24, 2006 at 10:15:32AM -0600, Douglas E. Engert wrote:
> 
> Oracle has had Kerberos support for about 10 years via the Oracle Advanced
> Security Option (ASO) formally know as Oracle Advanced Networking Option.
> There are a lot of articles from 1998-2003 on using the ASO but very
> little after.
> 
> A few simple changes could vastly improve the usability of the ASO.
> 
> The code appears to not have been kept up to date, as it only does
> single DES, and uses a type 2 ticket cache. But some selective
> features have been made, including TCP support for the KDC, and on a
> Windows box, the client can use the Microsoft ticket cache (and
> maybe SSPI) to the server on Unix using GSSAPI.  It can delegate
> credentials to the server so one database server can authenticate to
> another as the user. Yet it has a simple bug with parsing of the
> KRB5CCNAME variable.
> 
> It is not clear what Kerberos code base is used, as the libs don't
> match the MIT or Heimdal.  Articles refer to CyberSafe Trust Broker
> interoperability so it may be CyberSafe.

I went and talked to Oracle over 10 years ago, and at the time what
they told me they were planning on doing was to take the MIT Kerberos
library at the time and suck it into their code tree, making a huge
number of changes to make the code comply with their OS portability
coding style.  The exact contents of their portability rules was at
that point an Oracle company secret, and was described to me as one of
their "crown jewels" (no kidding).  This was back in the day when
Oracle was running on some garguantuan number of platforms, including
some (was it VMS?) that had linker limitations that meant that symbols
had to be no more than six characters, or the first six characters had
to be unique --- I don't remember all of the details.

In any case, it meant renaming all of the function names to be less
than six characters, and other things that effectively guaranteed that
it would be impossible for them to upgrade to newer versions without
discarding nearly all of the work to integrate Kerberos into their
product and starting nearly from scratch.  At the time, I didn't think
it was that hot of an idea, but Oracle at that time in the mid-90's
considered this a non-negotiable requirement if Kerberos was going to
be integrated into SQL*Net as part of the Advanced Networking Option,
and at the time we were glad they were doing it all, even if it was in
a rather harebrained fashion.

So unless Oracle changed their plans or what they did, it's likely
that what Oracle used as their libraries is a derivitive of very
ancient MIT code, but it's been "Oraclized" so thoroughly that it is
probably a very, very, very distant cousin.

> The ASO uses the full principal name with realm as the Oracle
> username without any mapping from principal to Oracle username. The
> name is also limited to 30 characters. The lack of a mapping makes
> it very difficult to add Kerberos support to an existing database.

I thought there was a way you could override the principal name, but
it's been a very long time, and the memory grows dim...

							- Ted

More information about the Kerberos mailing list