Oracle Advanced Security Option and Kerberos
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Feb 28 18:00:39 EST 2006
On Friday, February 24, 2006 10:15:32 AM -0600 "Douglas E. Engert"
<deengert at anl.gov> wrote:
> I am looking for other Kerberos sites that use Oracle with or without the
> ASO who would like to see the ASO improved. I would also be interested to
> know if you have approached Oracle on improvements, and what was their
> response.
We've been using Oracle with ANO and Kerberos for some years now.
Like you, we'd like to see support for new enctypes, the version 4 fcache
format, and a fix to the KRB5CCNAME parsing bug.
While we don't currently have any situations where we need non-identity
principal->username mappings, as a security protocol designer I think this
abstraction is an important one, and it is clearly missing from Oracle. A
principal name length limit of 30 characters is clearly too short; we have
plenty of principal names over that limit. Fortunately, most of them
belong not to users but to services which will never talk to Oracle.
More generally, the failure of Oracle to keep portions of their Kerberos
code even remotely up to date makes me wonder how well-maintained the rest
of it is, and how committed Oracle is to maintianing this
security-sensitive code. I'm always a little nervous about "closed"
security protocols and code which haven't been subject to outside review,
particularly given the amount of snake oil out there. But the lack of
attention paid to this particular code really is worrisome.
I'll have to check with our DBA's to see if there are any open tickets on
these items, or on other Kerberos-related issues.
-- Jeff
More information about the Kerberos
mailing list