Re: os authenticated accounts

From: Mark Brinsmead <pythianbrinsmead_at_gmail.com>
Date: Tue, 4 Mar 2008 22:18:10 -0700
Message-ID: <cf3341710803042118h1f443a94w6c75df160ac56145@mail.gmail.com>

Is checking the source IP in a trigger reliable?

I do not recall the source, but I had the impression that that information is provided (directly) by the client, not by the TNS listener, and can (relatively) easily be spoofed. Also, the method would break down -- or be tricked -- when using "proxied" connections, e.g., port-forwarding through SSH, or possibly Oracle Connection Manager. (Never used the latter myself.) It would also be problematic if there are NAT-enabled firewalls anywhere along your network route.

Every case needs to be judged on its own merits, but basically it is my practice to award REMOTE_OS_AUTHENTICATION=TRUE an *automatic* "Fail" on any security review, even (or especially) where there are no EXTERNALLY IDENTIFIED accounts present in the database. While I have never actually attempted to "hack" or "spoof" it, my understanding is that it is all too easy.

For those who can afford it, though, the Advanced Security Option and/or Database Vault offer secure alternatives, I believe. I have stumbled across these options myself while answering similar questions, but it has been so many years since I've been at a site with pockets deep enough (or business needs serious enough) to actually consider these expensive options, I have never really investigated them in any real depth.

*sigh* Working for regulated utilities *did* have its advantages... :-)

Of course, the O.P. only asked "is this possible?", and the answer is "yes, it certainly is". What a shame he did not ask instead "is this wise?".

:-)

On Tue, Mar 4, 2008 at 12:02 PM, Powell, Mark D <mark.powell_at_eds.com> wrote:

>
> I have always preferred to set the os_authent_prefix='' rather than
> OPS$.
>
> I am not sure if trying to limit the node access is practical since I do
> not think the node checking can be associated to usernames in the sqlnet
> layer. You might need to resort to checking the IP for any OS
> authenticated accounts in an after logon database event trigger.
>
>
> -- Mark D Powell --
> Phone (313) 592-5148
>
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of QuijadaReina, Julio
> C
> Sent: Tuesday, March 04, 2008 9:52 AM
> To: 'mdemenko_at_gmail.com'; joe_dba_at_hotmail.com
> Cc: oracle-l_at_freelists.org
> Subject: RE: os authenticated accounts
>
> Yes, it is possible.
> The following parameters on your database init.ora relating to this are
> (if my memory serves me correctly):
> remote_os_authent=true
> os_authent_prefix=ops$
>
> Create the account you will use on your Linux box. Then create the
> externally identified account on your database. From your Linux client
> you should be able to connect by issuing 'sqlplus /' after setting the
> client environment.
>
> A word of caution: anyone knowing your database tnsnames and the name of
> the account could potentially connect to your database. That sounds
> pretty bad! You might want to look into tcp.validnode_checking and
> tcp.invited_nodes pars on your server's sqlnet.ora and/or have the OS
> firewall setting that opens the listener port only to your linux client.
>
> Julio
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Maxim Demenko
> Sent: Tuesday, March 04, 2008 1:05 AM
> To: joe_dba_at_hotmail.com
> Cc: oracle-l_at_freelists.org
> Subject: Re: os authenticated accounts
>
> Joe Smith schrieb:
> > Is it possible to use OS authenticated accounts ( i.e. identified
> > externally ) between two servers?
> >
> > I have a linux box with with an oracle client install and an aix
> > server with EE installed.
> >
> > The external account was originally on the aix server. We want to
> > move the 3rd party app and the account to a linux box.
> >
> > thanks.
> >
> >
> > ----------------------------------------------------------------------
> > -- Shed those extra pounds with MSN and The Biggest Loser! Learn more.
> > <http://biggestloser.msn.com/>
> You may look on the external users identified by ssl certificates (if
> you are on 10g onwards).
> Not sure about additional licensing costs (i.e. whether it is part of
> ASO or not).
>
> Best regards
>
> Maxim
> --
> http://www.freelists.org/webpage/oracle-l
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Cheers,
-- Mark Brinsmead
  Senior DBA,
  The Pythian Group
  http://www.pythian.com/blogs

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 04 2008 - 23:18:10 CST

This message: [ Message body ]
Next message: Nuno Souto: "Re: Oracle DBA future"
Previous message: Dan Norris: "Re: RAC changing network interface configuration"
In reply to: Powell, Mark D: "RE: os authenticated accounts"
Next in thread: QuijadaReina, Julio C: "RE: os authenticated accounts"
Reply: QuijadaReina, Julio C: "RE: os authenticated accounts"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message