Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: ops$/w2k/"secure" connections question

RE: ops$/w2k/"secure" connections question

From: Boivin, Patrice J <>
Date: Fri, 17 Aug 2001 12:15:45 -0700
Message-ID: <>

I was asking myself the same question as I was reading through the Oracle9i Security features on the Oracle web site, single-sign on is in there. They also mention OS authentication as a great thing. That puzzled me for a bit.

I may have figured it out, though, let me know if this makes sense.

I guess they assume that if you are concerned about Oracle, you are going to use encrypted networking and passwords. You know that without the Trusted Oracle or Secure Networking options, or some other 3rd party network security setup, Oracle passwords are transmitted in clear text over the network... right?

So if you have Oracle logons, anyone with a packet can grab the Oracle passwords. A packet monitor is one shipped for free with the NT distribution disks although it only monitors the NT server's own NIC. But you can grab some at hundreds of Web sites on the 'net, it would take just a few minutes to find one, download it, and start using it.

i.e. all your networking techies know what the Oracle passwords, or they can easily find out if they are so inclined. i.e. your power users also are quite capable of finding out what the Oracle passwords are.

Patrice Boivin
Systems Analyst (Oracle Certified DBA)

Systems Admin & Operations | Admin. et Exploit. des systèmes
Technology Services        | Services technologiques
Informatics Branch         | Direction de l'informatique 
Maritimes Region, DFO      | Région des Maritimes, MPO

E-Mail: <>

        -----Original Message-----
        From:   Koivu, Lisa []
        Sent:   Friday, August 17, 2001 4:38 PM
        To:     Multiple recipients of list ORACLE-L
        Subject:        ops$/w2k/"secure" connections question

        After much fiddling, I got ops$ (os authenticated) logons to work in
my w2k db. However, I'm confused. I had to set REMOTE_OS_AUTHENT = TRUE in order for this to work. See snippet from doco below.

        I'm doing this all locally. When I set REMOTE_OS_AUTHENT=FALSE it does not work. My question is, why is a local connection seen as non-secure? I can connect via sqlplus with the listener down, so I'm not running into the restriction with Net8.

        Thanks in advance for any comments you may have.

        <-- from doco 
        By default, Oracle only allows operating system authenticated logins
over secure connections. Therefore, if you want the operating system to authenticate a user, by default that user cannot connect to the database over Net8. This means the user cannot connect using a multi-threaded server, since this connection uses Net8. This default restriction prevents a remote user from impersonating another operating system user over a network connection.

        If you are not concerned about remote users impersonating another operating system user over a network connection, and you want to use operating system user authentication with network clients, set the parameter REMOTE_OS_AUTHENT (default is FALSE) to TRUE in the database's initialization parameter file. Setting the initialization parameter REMOTE_OS_AUTHENT to TRUE allows the RDBMS to accept the client operating system username received over a non-secure connection and use it for account access.


        Lisa Koivu 
        Oracle Database Administrator 
        Fairfield Resorts, Inc. 
Please see the official ORACLE-L FAQ:
Author: Boivin, Patrice J

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Fri Aug 17 2001 - 14:15:45 CDT

Original text of this message