Enabling network-based security  Requiring message confidentiality with encryption

Chapter 16: External Authentication

Using unified login

Configuration parameters are available to:

All the parameters for unified login take effect immediately. You must be a System Security Officer to set the parameters.


Requiring unified login

To require all users, other than the user with System Security Officer (sso) role, to be authenticated by a security mechanism, set the unified login required configuration parameter to 1. Only the user with the sso_role can log in to the server with a user name and password when this configuration parameter is set:

sp_configure "unified login required", [0|1]

For example, to require all logins to be authenticated by a security mechanism, execute:

sp_configure "unified login required", 1

Establishing a secure default login

When a user with a valid credential from a security mechanism logs in to Adaptive Server, the server checks whether the user name exists in master..syslogins. If it does, that user name is used by Adaptive Server. For example, if a user logs in to the DCE security mechanism as “ralph,” and “ralph” is a name in master..syslogins, Adaptive Server uses all roles and authorizations defined for “ralph” in the server.

However, if a user with a valid credential logs in to Adaptive Server, but is unknown to the server, the login is accepted only if a secure default login is defined with sp_configure. Adaptive Server uses the default login for any user who is not defined in master..syslogins, but who is preauthenticated by a security mechanism. The syntax is: 

sp_configure "secure default login", 0, login_name

The default value for secure default login is “guest.”

This login must be a valid login in master..syslogins. For example, to set the login “gen_auth” to be the default login:

  1. Use sp_addlogin to add the login as a valid user in Adaptive Server:

    sp_addlogin gen_auth, pwgenau

    This procedure sets the initial password to “pwgenau”.

  2. Use sp_configure to designate the login as the security default.

    sp_configure "secure default login", 0, gen_auth

    Adaptive Server uses this login for a user who is preauthenticated by a security mechanism but is unknown to Adaptive Server.

    NoteMore than one user can assume the suid associated with the secure default login. Therefore, you might want to activate auditing for all activities of the default login. You may also want to consider using sp_addlogin to add all users to the server.

For more information about adding logins, see “Adding logins to support unified login” and “Adding logins to Adaptive Server”.


Mapping security mechanism login names to server names

Some security mechanisms may allow login names that are not valid in Adaptive Server. For example, login names that are longer than 30 characters, or login names containing special characters such as !, %, *, and & are invalid names in Adaptive Server. All login names in Adaptive Server must be valid identifiers. For information about what identifiers are valid, see Chapter 3, “Expressions, Identifiers, and Wildcard Characters,” in the Reference Manual.

Table 16-4 shows how Adaptive Server converts invalid characters in login names:

Table 16-4: Conversion of invalid characters in login names

Invalid characters

Converts to

  • Ampersand &

  • Apostrophe ’

  • Backslash \

  • Colon :

  • Comma ,

  • Equals sign =

  • Left quote ‘

  • Percent %

  • Right angle bracket >

  • Right quote ’

  • Tilde ~

Underscore _

  • Caret ^

  • Curly braces { }

  • Exclamation point !

  • Left angle bracket <

  • Parenthesis ( )

  • Period .

  • Question mark ?

Dollar sign $

  • Asterisk *

  • Minus sign -

  • Pipe |

  • Plus sign +

  • Quotation marks "

  • Semicolon ;

  • Slash /

  • Square brackets [ ]

Pound sign #



Copyright © 2005. Sybase Inc. All rights reserved. Requiring message confidentiality with encryption

View this book as PDF