473,385 Members | 1,400 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > db2 database > questions > authentication client security exposure?

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Authentication client security exposure?

Hi All;
On a DB2 v9.1 (DPF) - RH Linux server, we have a local userid EXECMSTR
that has dbadm privileges and executes all batch processing to load
and maintain a large data warehouse application. The database server
allows authentication client for some applications. It appears that
this configuration would allow a local (client) user to be defined as
EXECMSTR and come into the database server with dbadm priveleges!
Obviously, this fits into the category of "a bad thing"...

What am I missing? There must be some way to support authentication
client for certain users and not for others. Can someone point me to
what I need to look at? I have spent ALOT of time with several
different security-related config parms and can't get a good handle on
the solution to this. Thanks very much!

Pete H
Nov 21 '07 #1
4 1783
On Nov 21, 8:10 pm, peteh <phazz...@intellicare.comwrote:
[...]
What am I missing? There must be some way to support authentication
client for certain users and not for others.
I'm not sure I follow what you are saying. Would it be enough to know
the name of such a user to get access to the database?
>Can someone point me to
what I need to look at? I have spent ALOT of time with several
different security-related config parms and can't get a good handle on
the solution to this. Thanks very much!
Would it be possible to solve at the OS level instead of at the DBMS
level? You could for example set up ssh-keys for the client on the
server, and then log in via ssh and do your stuff at the server. Such
solution would only allow access from certain machines, certain users.

/Lennart
Nov 22 '07 #2
Lennart wrote:
On Nov 21, 8:10 pm, peteh <phazz...@intellicare.comwrote:
[...]
What am I missing? There must be some way to support authentication
client for certain users and not for others.

I'm not sure I follow what you are saying. Would it be enough to know
the name of such a user to get access to the database?
Can someone point me to
what I need to look at? I have spent ALOT of time with several
different security-related config parms and can't get a good handle on
the solution to this. Thanks very much!

Would it be possible to solve at the OS level instead of at the DBMS
level? You could for example set up ssh-keys for the client on the
server, and then log in via ssh and do your stuff at the server. Such
solution would only allow access from certain machines, certain users.

/Lennart
Thanks for your reply Lennart. The issue is that the userid has been
established on the server for production work (with dbadm auths) and
it appears that any old workstation client could set up a local user
with the same name. Once that user is authenticated on the client, it
can connect to the database (via database connect, not direct login/
ssh) and have VERY powerful priviledges.

Do you see the exposure here? It appears that once we allow
AUTHENTICATION CLIENT (which we have to do for some applications), we
cannot control access for client users who share id names with users
defined on the server. This is why I know I must be missing
something... Thanks again.

Pete H
Nov 23 '07 #3
On Nov 23, 3:31 pm, peteh <phazz...@intellicare.comwrote:
[...]
Do you see the exposure here? It appears that once we allow
AUTHENTICATION CLIENT (which we have to do for some applications), we
cannot control access for client users who share id names with users
defined on the server. This is why I know I must be missing
something... Thanks again.
I'm well aware of the security issues with AUTHENTICATION CLIENT. If I
understood you correctly, you would like to use AUTHENTICATION CLIENT
from some machines/some users, and AUTHENTICATION SERVER for the
rest . AFAIK that is not supported at the DBMS level. Would the
following be an option?

Use AUTHENTICATION CLIENT on your existing server, and restrict access
via firewall to your trusted clients. Add another server with
AUTHENTICATION SERVER and catalog all the databases from your current
server there. Just a thought, haven't tried it myself

/Lennart
Nov 23 '07 #4
Lennart wrote:
On Nov 23, 3:31 pm, peteh <phazz...@intellicare.comwrote:
[...]
>Do you see the exposure here? It appears that once we allow
AUTHENTICATION CLIENT (which we have to do for some applications), we
cannot control access for client users who share id names with users
defined on the server. This is why I know I must be missing
something... Thanks again.

I'm well aware of the security issues with AUTHENTICATION CLIENT. If I
understood you correctly, you would like to use AUTHENTICATION CLIENT
from some machines/some users, and AUTHENTICATION SERVER for the
rest . AFAIK that is not supported at the DBMS level. Would the
following be an option?

Use AUTHENTICATION CLIENT on your existing server, and restrict access
via firewall to your trusted clients. Add another server with
AUTHENTICATION SERVER and catalog all the databases from your current
server there. Just a thought, haven't tried it myself

/Lennart
Authentication client requires that you can trust your clients. This means
that all clients must be locked down so that local security can't be
changed and no foriegn machines are permitted to access the network. If you
can't secure the attached workstations and servers to this level then do
not use client authentication for any database that requires even a minimal
amount of security.

Colin
Dec 5 '07 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
Authentication problem for roles based
by: Chris Gatto | last post by:
Hi, I'm having what should be a minor problem but has turned into a 2 day slug fest with ASP.Net. I am simply attempting to authenticate my asp.net application users against users in an AD...
ASP.NET
5
Authentication
by: Maziar Aflatoun | last post by:
Hi everyone, I have a login .aspx page that I like to forward my users to. However, can't do it using <authorization> ..... </authorization> because I need anonymous users to use it without...
ASP.NET
5
SSL Client Authentication
by: wrytat | last post by:
I'm not sure if I'm posting the correct place. I posted it somewhere else, but someone told me to post it at another place. Anyway, some background first. I am currently building a web...
ASP.NET
5
User authentication through web service (follow up)
by: Buddy Ackerman | last post by:
My app is a .NET forms app that runs in the taskbar and periodically polls a web service. I have a client that wants the app to integrate with their Active Directory. They do not want the user to...
.NET Framework
7
Windows authentication from ASP.net application to Sql Server
by: Alice Wong | last post by:
I am setting up my Web ASP.net application to connect to Sql server using windows authentication. I set up IIS to have integrated windows authenication and sql to allow Windows authentication....
ASP.NET
18
Sun Java System Directory Server Authentication
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found...
C# / C Sharp
2
client authentication
by: Frank Swarbrick | last post by:
I am trying to understand "client authentication" works. My environment is DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4 as the client. We currently have DB2/LUW set...
DB2 Database
3
C# SOAP Authentication to non C# web service
by: Enda Manni | last post by:
Hi, I have a gSoap Web Service written using C++, it uses SOAP username and password authentication. I also have a C# form client consuming the web service, all this was working fine until...
C# / C Sharp
0
Forbidden with client authentication scheme 'Anonymous'
by: =?Utf-8?B?PT10aW1lPT0=?= | last post by:
I am trying to build a proof of concept of a WCF service utilisting a wsHttpBinding with Transport Certificate security. I am having problems connecting to it with a console client - everytime I...
.NET Framework
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!