16.10 - Using tdgssauth Syntax - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017

Run tdgssauth from the Teradata Database command prompt. Enter the tdgssauth options needed for your test. For example:

su - teradata
tdgssauth -u  username  -m  mechanism  -i  IP_address

The following rules apply when using tdgssauth:

  • You can specify tdgssauth options in any order, but they must be separated by spaces.
  • The input is case sensitive.
  • Become the teradata user (su - teradata) if the system is configured for CA certificates as part of setting up SSL/TLS. This causes tdgssauth to run under the Linux user teradata instead of root, which accurately represents how the system processes authentication when CA certificates are present. Also see SSL/TLS Protection Options.

Using tdgssauth Options

Option Description
Options that control initialization (only one may be specified):
-s Perform a server-mode TDGSS initialization. The default on database nodes. Not available on Unity.

Mutually exclusive with -t.

-t dir Perform a test mode initialization.

Mutually exclusive with -s.

-v ver Specify the TDGSS version to test.

May not be used with -t. May be used only with server-mode initialization.

Options that control the token exchange:
-m mechname Specify the mechanism to use. If a mechanism is not specified, the default mechanism is selected.
-n SPN Specify the target Service Principal Name (SPN).
-D Request delegation.
-M Request mutual authentication.
-R Request replay detection.
-S Request out of sequence detection.
-I Request integrity support.
-C Request confidentiality support.
-? Request that a usage message be displayed.
Options that control authentication (see Rules for tdgssauth Options That Control Authentication)
-u user Specify the user name to authenticate.
-w password Specify the user's password. If -w is omitted the tool prompts for the password securely (without echoing) if the mechanism is an authenticating mechanism.
-a additional-logdata Allows specification of additional authorization information other than authcid and password; for example, you can specify profile information: tdgssauth -u user -w password -a profile=myprofile -m ldap
Options that control security policy checks:
-i ipaddr The IPv4 or IPv6 address of the client to use in security policy tests. If this option is not included, security policy checks will not be performed.

If -i is included but -u has not been specified and the mechanism is non-authenticating (such as TD2), security policy checks will not be performed.

Options that control wrapping and unwrapping:
-T text string Specifies a text string to wrap and unwrap. This string will be wrapped on the client side, unwrapped on the server side, rewrapped on the server side and unwrapped again on the client side. As many -T options as desired may be specified. If none are specified, no wrapping and unwrapping will be performed.
-c Requests confidentiality on the initial wrap operation.
-e Requests encryption during wrapping. Without this option, the message text specified in -T options will only have a message integrity checksum (MIC) appended.
-q [low|medium|high|default|0|1|2|3] Specifies the quality of protection to use when generating MICs and encrypting.
Options that control the output:
-V num Request verbose output. In this mode, the tokens will be dumped and return codes from all TDGSS functions will be formatted and displayed.

If included the tokens will be dumped. If num is non-zero, LDAP logging will be enabled using the value as OpenLDAP's trace flags.

The output includes the user's password and the database service password. Both the character interpretation and dumped hex need to be changed before sharing this trace information.
-l Dumps TDNEGO logs if TDNEGO is the chosen mechanism.

Rules for tdgssauth Options That Control Authentication

The tdgssauth options that control authentication are: -u, -w, and -a. The following rules apply for using these options:

  • If the mechanism supports authentication then at least one of -u or -a must be specified.
  • If the mechanism supports authentication and -u is specified, the user's name and password are hardcoded into a properly escaped and quoted User Principal Name (UPN). If -a has been specified, then a space character and the value provided in the -a option are appended to the UPN and the resulting string is used as mechdata (.logdata).
  • If the mechanism supports authentication and -u is not specified, -a must be specified and the value passed must be complete mechdata, which includes the user's name and password (legacy mode).
  • If the mechanism does not support authentication, then -u must be specified only if security policy checks are to be made.