Hi Arup, At 21:59 21/06/2003 -0800, you wrote: <Snip>...
>An OS user called scott will be able to connect as the database user >OPS$SCOTT, not SCOTT - a big difference. This is why the os_authent_prefix >parameter is so important to set; don't leave it as null. If it is null, >then the OS user scott can connect to database user scott. > Maybe I miss the obvious.. Considering remote_os_authent=false, why for LOCAL connections os_authent_prefix='' is inherently less secure than os_authent_prefix=OPS$ or whatever string you choose. In each case, the prerequisite is to create the user "identified externally" (that's where you MUST be cautious) But if scott is created with a password (i.e create user scott identified by tiger) then no OS user scott can log on whatever the os_authent_prefix is. At least that's how I understand the feature. Can you please elaborate on the security issue ? >> Any ideas how to restrict the externally identified users so that they >> have to log in to the database server to access their oracle schemas.? > >Well, they are mutually exclusive. A user is authenticated by either the >database or externally, not both. So if you create user scott identified >externally, you are allowing him to bypass database authentication. If you >don't want that, then you would create user SCOTT identified by a password. > In fact if os_authent_prefix=OPS$ and ONLY in this case, you can still do this (it's inherited from V6 days but still working with Oracle 9i R2) : create user ops$arup identified by nanda; grant create session to ops$arup; And know you can either connect with sqlplus / or sqlplus /nolog connect ops$arup/nanda or sqlplus /nolog connect ops$arup password : nanda Although it doesn't work directly from the command line like sqlplus ops$arup/nanda or sqlplus ops$arup password : nanda (But works again after you get Enter username for a 2nd try) Regards Gilles Parc carpe diem !! -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Gilles PARC INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
