Re: Is OS authentication secure enough?

Chuck Hamilton <chuckh_at_dvol.com> wrote:
>Bob Yeh <ryeh_at_juno.com> wrote:
>>I am running server 7.2 on Sun solaris 2.4(sql*net 2.2) with PC Window
>>and UNIX clients. IS using OS authentication scure enough?
>
>I think so. But it won't let you connect as an OPS$ (o/s
>authenticated) user from an unsecured o/s like Windows or DOS. If the
>client o/s doesn't require a user name and password to log in, the
>server won't let you connect to an OPS$ user. Unix to unix will work
>fine, but not DOS to unix.

...but it *will* let you connect as an OPS$ account from a not-really-secure O/S like Windows 95 if you have Remote_OS_Authent set appropriately in the server's Init.Ora.

Of course, if the connection is via TCP/IP can you *really* trust whatever the client claims to be telling you anyway...unless, perhaps, you are using Oracle's extra-cost Advanced Networking Option??  

The bottom line is: it's an all-or-nothing deal, and you are placing your trust on the authentication strength of your client workstations. If the weakest of those is not very good, then your overall level of trustworthiness is...not very good! (Do you *know* where all your workstations are??)

Of course the alternative - Oracle's own password-based authentication - is also virtually a no-op out-of-the-box since there is zero password administration...unless you buy into what ANO might offer or go for a 3rd party addon...or wait against the promise that Oracle V8 fixes that?

-- 
Barry Johnson  -  BJohnson_at_WorldBank.Org  -  ph. (202)458-0585