Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows

Re: oracle authentication from windows

From: Gilles PARC <>
Date: Tue, 24 Jun 2003 13:41:43 -0700
Message-ID: <>

Hi Arup,

At 21:59 21/06/2003 -0800, you wrote:

>An OS user called scott will be able to connect as the database user
>OPS$SCOTT, not SCOTT - a big difference. This is why the os_authent_prefix
>parameter is so important to set; don't leave it as null. If it is null,
>then the OS user scott can connect to database user scott.

Maybe I miss the obvious..
Considering remote_os_authent=false, why for LOCAL connections os_authent_prefix='' is inherently less secure than os_authent_prefix=OPS$ or whatever string you choose.
In each case, the prerequisite is to create the user "identified externally" (that's where you MUST be cautious)
But if scott is created with a password (i.e create user scott identified by tiger)
then no OS user scott can log on whatever the os_authent_prefix is. At least that's how I understand the feature. Can you please elaborate on the security issue ?

>> Any ideas how to restrict the externally identified users so that they
>> have to log in to the database server to access their oracle schemas.?
>Well, they are mutually exclusive. A user is authenticated by either the
>database or externally, not both. So if you create user scott identified
>externally, you are allowing him to bypass database authentication. If you
>don't want that, then you would create user SCOTT identified by a password.

In fact if os_authent_prefix=OPS$ and ONLY in this case, you can still do this (it's inherited from V6 days but still working with Oracle 9i R2) :

create user ops$arup identified by nanda; grant create session to ops$arup;
And know you can either connect with
sqlplus /
sqlplus /nolog
connect ops$arup/nanda
sqlplus /nolog
connect ops$arup
password : nanda

Although it doesn't work directly from the command line like sqlplus ops$arup/nanda
or sqlplus ops$arup
password : nanda
(But works again after you get
 Enter username for a 2nd try)


Gilles Parc

carpe diem !!

Please see the official ORACLE-L FAQ:
Author: Gilles PARC

Fat City Network Services    -- 858-538-5051
San Diego, California        -- Mailing list and web hosting services
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Tue Jun 24 2003 - 15:41:43 CDT

Original text of this message