I was asking myself the same question as I was reading through the Oracle9i
Security features on the Oracle web site, single-sign on is in there. They
also mention OS authentication as a great thing. That puzzled me for a bit.
I may have figured it out, though, let me know if this makes sense.
I guess they assume that if you are concerned about Oracle, you are going to
use encrypted networking and passwords. You know that without the Trusted
Oracle or Secure Networking options, or some other 3rd party network
security setup, Oracle passwords are transmitted in clear text over the
network... right?
So if you have Oracle logons, anyone with a packet can grab the Oracle
passwords. A packet monitor is one shipped for free with the NT distribution
disks although it only monitors the NT server's own NIC. But you can grab
some at hundreds of Web sites on the 'net, it would take just a few minutes
to find one, download it, and start using it.
i.e. all your networking techies know what the Oracle passwords, or they can
easily find out if they are so inclined.
i.e. your power users also are quite capable of finding out what the Oracle
passwords are.
HTH
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
Systems Admin & Operations | Admin. et Exploit. des syst�mes
Technology Services | Services technologiques
Informatics Branch | Direction de l'informatique
Maritimes Region, DFO | R�gion des Maritimes, MPO
E-Mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
-----Original Message-----
From: Koivu, Lisa [SMTP:[EMAIL PROTECTED]]
Sent: Friday, August 17, 2001 4:38 PM
To: Multiple recipients of list ORACLE-L
Subject: ops$/w2k/"secure" connections question
After much fiddling, I got ops$ (os authenticated) logons to work in
my w2k db. However, I'm confused. I had to set REMOTE_OS_AUTHENT = TRUE in
order for this to work. See snippet from doco below.
I'm doing this all locally. When I set REMOTE_OS_AUTHENT=FALSE it
does not work. My question is, why is a local connection seen as
non-secure? I can connect via sqlplus with the listener down, so I'm not
running into the restriction with Net8.
Thanks in advance for any comments you may have.
<-- from doco
By default, Oracle only allows operating system authenticated logins
over secure connections. Therefore, if you want the operating system to
authenticate a user, by default that user cannot connect to the database
over Net8. This means the user cannot connect using a multi-threaded server,
since this connection uses Net8. This default restriction prevents a remote
user from impersonating another operating system user over a network
connection.
If you are not concerned about remote users impersonating another
operating system user over a network connection, and you want to use
operating system user authentication with network clients, set the parameter
REMOTE_OS_AUTHENT (default is FALSE) to TRUE in the database's
initialization parameter file. Setting the initialization parameter
REMOTE_OS_AUTHENT to TRUE allows the RDBMS to accept the client operating
system username received over a non-secure connection and use it for account
access.
-->
Lisa Koivu
Oracle Database Administrator
Fairfield Resorts, Inc.
954-935-4117
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Boivin, Patrice J
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
