]
Sent by: [EMAIL PROTECTED]
06/27/2003 12:44 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:Re: oracle authentication from windows
Thanks reginald, Jared , Mladen,..
I set
To:
[EMAIL PROTECTED]
: Sent by: cc:
: [EMAIL PROTECTED] Subject: Re: oracle
authentication from windows
: com
:
:
: 06/21/2003 08:49
: PM
Arup,
thanks for your detailed feedback
Comments inline
(1) The use of remote_os_authent is false, then it simply means that users
from another machine can't log in using OPS$ accounts. Needless to say, this
reduces the security and must be weighed a bit more carefully than usual.
Here I
Hi Arup,
At 21:59 21/06/2003 -0800, you wrote:
Snip...
An OS user called scott will be able to connect as the database user
OPS$SCOTT, not SCOTT - a big difference. This is why the os_authent_prefix
parameter is so important to set; don't leave it as null. If it is null,
then the OS user scott
Gilles,
Here is a lowdown on the security aspects related to the OS authentication.
(1) The use of remote_os_authent is false, then it simply means that users
from another machine can't log in using OPS$ accounts. Needless to say, this
reduces the security and must be weighed a bit more
Hi Beth,
See in Aarons book page 196, second paragraph for changing domain names
on win 95,98 untrusted clients. Perhaps i wasn't clear what i was saying
is that it is possible to connect to the database from a PC that is not
authenticated on the domain using an untrusted client.
Have a look at
] Subject: Re: oracle authentication
from windows
com
: Gogala, Mladen
To: Multiple recipients of list ORACLE-L
Sent: Thursday, June 19, 2003 4:19 PM
Subject: RE: oracle authentication from windows
That, of course, will render your database totally insecure and open to
anybody who can bring in a WinXP laptop, change the windoze username
Hi Arup,
Thanks for the reply, I agree with you that ops$ accounts are definitely
weaker than database authenticated accounts. I would always advocate
trying to find another way to allow access if possible, i understand
that in some cases remote authentication is what an organisation chooses
to
No, that's not true. It actually uses your NT security token to
validate that you are authenticated in the domain. You can't just give
a rogue PC the same domain name, boot it up, and log into the database
with external authentication. The PC would have to be a domain member,
which means you
Because external authentication checks the domain name you are logged
into. You can't log into a local user JKILCHOE and connect to the
externally authenticated database user MYDOMAIN\JKILCHOE.
Beth
-Original Message-
Sent: Friday, June 20, 2003 4:05 PM
To: Multiple recipients of list
Hi Pete,
I don't think that's true about booting a PC with the same domain name
that's not really part of the domain. Have you ever tried it? I'd be
really interested if it works.
I don't understand the part about booting into Linux and changing the
username as its sent. Isn't the only
Hello arup , I am using oracle 9.2.0.1.0 enterprise edition on windows
xp
my os_authent_prefix='' (I know , after reading your post , that its a
security flaw ,but since this is just a test database on a single
computer not on the network, let it be )
: Are you logging in the server through
Beth when the whole setup uses a workgroup and people log into their
local machines rather than being authenticated by a domain server ?
- Original Message -
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Monday, June 23, 2003 03:34
:
: No, that's not true. It
Hi Arup,
The example was an application i saw recently, the administration was
application administration via a form that included adding and
maintaining Oracle users. The people who used it were not DBA's but
their users had been granted the DBA role.
I think we will have to agree to disagree
: oracle authentication from windows
We want our client users ( forms user ) to just enter windows
password and then automatically able to get in to oracle .Is there a
way oracle can authenticate from windows ( or active directory ) .
enbadding password in runform.exe not an option .
thanks
Hi Pete,
I think you misunderstood. OPS$ accounts are weaker than the regular
accounts; but I maintain that they are not so insecure that they should be
outright banned. My position is they can be created if needed, but the
privileges should be granted judiciously, something that has to be done
OPS$ accounts are, basically, Oracle's attempt to implement single sign-on.
OPS$ accounts are not a problem, as long as there is no network involved
because your oracle database is as secure as the underlying OS. You can not
have more security. When there is a network involved, everthing is OK as
:
:
:- Original Message -
:From: AK
:To: Multiple recipients of list ORACLE-L
:Sent: Thursday, June 19, 2003 1:10 PM
:Subject: oracle authentication from windows
:
:
:We want our client users ( forms user ) to just enter windows
: password and then automatically
recipients of list ORACLE-L
:Sent: Thursday, June 19, 2003 1:10 PM
:Subject: oracle authentication from windows
:
:
:We want our client users ( forms user ) to just enter windows
: password and then automatically able to get in to oracle .Is there
a
: way oracle can authenticate
Hi Arup,
Remote OS authentication whether with OPS$ or not is still a risk. You
are intimating that SYSTEM is the only risky account involved here. What
if any of the newly created OPS$ accounts have useful privileges. I have
seen a similar application to the one described recently. There were
PROTECTED]
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Subject: RE: oracle authentication from windows
Date: Thu, 19 Jun 2003 12:19:59 -0800
That, of course, will render your database totally insecure and open to
anybody
who can bring in a WinXP laptop, change the windoze username
I disagree. Remote OS authentication is not inherently insecure in
Windows like it is in Unix. If you prefix the account names with the
domain name, a user would not only have to spoof the username, he would
have to spoof the domain name too. At that point, you probably have
bigger problems
2003 10:46
AM
Subject: Re: oracle authentication from
windows
Arup,
why someone can't create account like ops$system
on xp and get in . If they can create system then y not ops$system . Secondly
OS authentication means operating system is going to take care of auth. rite ?
. It'
Got it . Thanks Arup .
-ak
- Original Message -
From:
Arup Nanda
To: Multiple recipients of list ORACLE-L
Sent: Friday, June 20, 2003 8:54 AM
Subject: Re: oracle authentication from
windows
AK,
The issue is not creating an id called OPS$
SYSTEM
are running Oracle on Unix so our batch jobs
use
O/S authenticated ids.
From: Gogala, Mladen [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Subject: RE: oracle authentication from windows
Date: Thu, 19 Jun 2003 12:19:59 -0800
Pete,
Apprciate your comments. You are right in stating that if the OPS$ accounts
have special privs they might be abused. But how it is any different than
any other user id with special privileges whose password is not guarded
well? The security hole does not come from the fact that
]
Subject: RE: oracle authentication from windows
Date: Thu, 19 Jun 2003 12:19:59 -0800
That, of course, will render your database totally insecure and open to
anybody
who can bring in a WinXP laptop, change the windoze username and log in
as
he pleases.
DBA that sets his production parameters
(my question follows)
-Original Message-
From: Seefelt, Beth [mailto:[EMAIL PROTECTED]
I disagree. Remote OS authentication is not inherently insecure in
Windows like it is in Unix. If you prefix the account names with the
domain name, a user would not only have to spoof the
Beth,
You are right in stating that OPS$ accounts are not inherently insecure.
How is teh inclusion of domain name any more secure than using OPS$?
Granted, the hacker has to guess the domain name in addition to user name,
but so is using any other prefix other than OPS$.
Besides if the users
: Friday, June 20, 2003 12:16 PM
To: Multiple recipients of list ORACLE-L
Subject: Re: oracle authentication from windows
Pete,
Apprciate your comments. You are right in stating that if the
OPS$ accounts
have special privs they might be abused. But how it is any
different than
any
Hi Beth
OK, I get your point but Arup was talking about automatic connections by
setting remote_os_authent to true where you can either set the prefix to
OPS$ or use identified externally. For these connections the user should
not be prefixed by the domain name in the database. On the other hand
comes up; use that instead.
HTH.
Arup Nanda
www.proligence.com
- Original Message -
From: AK
To: Multiple recipients of list ORACLE-L
Sent: Thursday, June 19, 2003 1:10 PM
Subject: oracle authentication from windows
We want our client users ( forms user ) to just enter
We want our client users ( forms user ) to
just enter windows password and then automatically able to get in to oracle .Is
there a way oracle can authenticate from windows ( or active directory ) .
enbadding password in runform.exe not an option .
thanks,
-ak
Hm
I haven't tried on Windows, but...
have you tried: IDENTIFIED EXTERNALLY???
using remote authentication I guess...
HTH
JL
--- AK [EMAIL PROTECTED] wrote:
We want our client users ( forms user ) to just
enter windows password and then automatically able
to get in to oracle .Is
in the "no spin
zone".
Mladen Gogala Oracle DBA Phone:(203) 459-6855
Email:[EMAIL PROTECTED]
-Original Message-From: Arup Nanda
[mailto:[EMAIL PROTECTED]Sent: Thursday, June 19, 2003 3:46
PMTo: Multiple recipients of list ORACLE-LSubject: Re:
oracle authentication fr
Got it . Thanks Arup .
- Original Message -
From:
Arup Nanda
To: Multiple recipients of list ORACLE-L
Sent: Thursday, June 19, 2003 12:45
PM
Subject: Re: oracle authentication from
windows
Sure.
Just declare these in your init.ora
essage -
From:
Gogala, Mladen
To: Multiple recipients of list ORACLE-L
Sent: Thursday, June 19, 2003 4:19
PM
Subject: RE: oracle authentication from
windows
That, of course, will render your database totally
insecure and open to anybody
who
can bring in a
38 matches
Mail list logo