Home » SQL & PL/SQL » Client Tools » externaly identified
externaly identified [message #303697] Sun, 02 March 2008 02:08 Go to next message
Bobby_007
Messages: 4
Registered: March 2008
Junior Member
Hello all,

I have a user created with dba privilege which is identified externally on the oracle server on Unix.

I would like to connect to the same user using toad/ sqlplus from clinet machine? How do I do that?

It always asks for the password.

Please reply ASAP...

Many thanks in advance.
Re: externaly identified [message #303699 is a reply to message #303697] Sun, 02 March 2008 02:16 Go to previous messageGo to next message
Michel Cadot
Messages: 64131
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
I hope you can't otherwise your DBA made a poor work and let a big security hole.

Regards
Michel
Re: externaly identified [message #303733 is a reply to message #303697] Sun, 02 March 2008 08:38 Go to previous messageGo to next message
Bobby_007
Messages: 4
Registered: March 2008
Junior Member
Hi Michel,

I did not get you at all?
I am sure that should be a way to work using toad / and using SQL window on client machine using the login which is identified externally?

Just think about it, I do not have access to unix machine where database resides, I have been given a login which is identified externally and have been asked to run queries using either toad / SQL*Plus. How would I login to Toad/SQL*Plus?

Regards,
Bobby
Re: externaly identified [message #303735 is a reply to message #303733] Sun, 02 March 2008 08:46 Go to previous messageGo to next message
Michel Cadot
Messages: 64131
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Ask your DBA to give you an account with password.
Allowing "/" connection from a remote machine is one of the greatest security holes.
Think about it. Anyone knowing your account name can connect from any machine without giving a password. What can be worst? Giving you DBA privileges.

If any DBA allows this in my place I immediatly ask for him to be fired.

Regards
Michel

[Updated on: Sun, 02 March 2008 08:48]

Report message to a moderator

Re: externaly identified [message #303739 is a reply to message #303697] Sun, 02 March 2008 09:58 Go to previous messageGo to next message
Bobby_007
Messages: 4
Registered: March 2008
Junior Member
Hi Michel,

Thanks a log for your reply and I understand the security concern you poiting out here and that is very much appreciated.

But is it really possbile to use any account which identified externally (may be not with DBA privileges) to use in Toad / SQL*Plus ?

Thanks a lot for your interest in the post.

Regards,
Bobby
Re: externaly identified [message #303741 is a reply to message #303739] Sun, 02 March 2008 10:41 Go to previous messageGo to next message
Michel Cadot
Messages: 64131
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Yes, it is possible, in the same way that locally.

Regards
Michel
Re: externaly identified [message #303749 is a reply to message #303697] Sun, 02 March 2008 11:53 Go to previous messageGo to next message
Bobby_007
Messages: 4
Registered: March 2008
Junior Member
Hi Michel,

That was too brief answer for me to understand.
Can you please explain in detail or may be with an example which will allow me to connec to toad.

Many thanks in advance.

Bobby
Re: externaly identified [message #303754 is a reply to message #303749] Sun, 02 March 2008 12:14 Go to previous messageGo to next message
Michel Cadot
Messages: 64131
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
I don't know TOAD, I answer for SQL*Plus: connect /@mydb

Regards
Michel

[Updated on: Sun, 02 March 2008 12:17]

Report message to a moderator

Re: externaly identified [message #303788 is a reply to message #303754] Sun, 02 March 2008 20:04 Go to previous messageGo to next message
rleishman
Messages: 3724
Registered: October 2005
Location: Melbourne, Australia
Senior Member
I for one would be very interested in how to do this.

It is my understanding that you can ONLY connect to externally authenticated accounts FROM THE SERVER. If you are running Oracle on Windows and using TOAD (locally) on the same machine, it may be possible, but that's not what you are talking about.

I read something a while ago about proxy authentication, but I got confused and stopped reading. It may be relevant, maybe not.

Until Michel posts a nice counter-example, I'm going to stick with my current understanding that you cannot connect remotely to an externally authenticated account.

Ross Leishman
Re: externaly identified [message #303837 is a reply to message #303788] Mon, 03 March 2008 00:26 Go to previous messageGo to next message
Michel Cadot
Messages: 64131
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Reference, REMOTE_OS_AUTHENT

Database Advanced Security Administrator's Guide
Chapter 10 Database Advanced Security Administrator's Guide
Section 10.4 Configuring Oracle Database for External Authentication
Subsection 10.4.2 Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE

Database Security Guide
Chapter 7 Security Policies
Section 7.6 A Security Checklist
Point 6 Enforce access controls effectively and authenticate clients stringently.

Regards
Michel


Re: externaly identified [message #304042 is a reply to message #303837] Mon, 03 March 2008 19:36 Go to previous messageGo to next message
rleishman
Messages: 3724
Registered: October 2005
Location: Melbourne, Australia
Senior Member
Well there you go. Still not sure I understand it, so I think I'll steer clear.
Re: externaly identified [message #304099 is a reply to message #304042] Tue, 04 March 2008 01:00 Go to previous messageGo to next message
Michel Cadot
Messages: 64131
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
If REMOTE_OS_AUTHENT is set to TRUE and you have a user identified externally then Oracle trust the remote OS and allow you to connect without a password if your OS user match the Oracle one (more or less os_authent_prefix).

Regards
Michel
Re: externaly identified [message #304321 is a reply to message #304099] Tue, 04 March 2008 20:16 Go to previous messageGo to next message
rleishman
Messages: 3724
Registered: October 2005
Location: Melbourne, Australia
Senior Member
So, pretty much anyone inside your company firewall with Admin rights on their PC can install the Oracle Net client, create a local Windows user, and access an externally authenticated account.

Nice.
Re: externaly identified [message #304359 is a reply to message #304321] Wed, 05 March 2008 00:18 Go to previous message
Michel Cadot
Messages: 64131
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Exactly! So my remarks on security and what I will do to a DBA that let this in one of his databases.

Regards
Michel
Previous Topic: HTML Report
Next Topic: Can't run SQL Plus from non administrator windows user
Goto Forum:
  


Current Time: Wed Dec 07 12:59:12 CST 2016

Total time taken to generate the page: 0.12684 seconds