The example shows how to verify a database user security properties using the TD2 mechanism. Run:
tdgssauth -u userconfhigh -m td2 -i 198.51.100.20
The user name (-u) is the same as in a bteq .logon command. The -m option specifies the logon mechanism to use (TD2 in this example). The -i option specifies the IP address from which the user will connect.
Result:
1> Status: not authenticated, not authorized 2> Actual mechanism employed: TD2 [OID 1.3.6.1.4.1.191.1.1012.1.1.9] 3> 4> Security context capabilities: replay detection 5> out of sequence detection 6> confidentiality 7> integrity 8> protection ready 9> exportable security context 10> 11> Minimum quality of protection: 3 (High) with confidentiality and integrity 12> Options: none
The following explains the output from the command:
Line Number | Description |
---|---|
1> Status: not authenticated, not authorized | The user has not authenticated nor authorized. There is only a security context. TD2 was used to establish the security context. TD2 does not authenticate, but instead requires the database to verify the user name and password, so there is not a prompt asking for the user password. |
2> Actual mechanism employed: TD2 [OID 1.3.6.1.4.1.191.1.1012.1.1.9] | TD2 is the security mechanism. |
4 - 9> Security context capabilities: replay detection, out of sequence detection ... exportable security context | These lines show what a particular security context provides. The security context is the one established for the named user using the specified mechanism. |
11> Minimum quality of protection: 3 (High) with confidentiality and integrity | The minimum QoP that the user is required to use for the duration of the session. In this example, the user must use a high strength confidentiality QoP. |
12> Options: none | The connection options in effect for the user. In this case, the word none indicates that this is a normal connection. This value may contain has-policy or no-direct-connect. has-policy says that the user must use only a plaintext connection to the database and is used for very specialized purposes. no-direct-connect says that the user is not permitted to connect directly to the database. |