Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: OS Password authentication

Re: OS Password authentication

From: Ruben Safir <ruben_at_llinderman.dental.nyu.edu>
Date: Mon, 08 Nov 1999 16:53:47 GMT
Message-ID: <veDV3.12$nO.4489@typhoon.nyu.edu>


[Posted and mailed]

>
>>When we are refering to A password file, are we talking about THE /etc/passwd
>>file in Unix or something created by Oracle?

OK That's cleared up. Oracle can not use the /etc/passwd file for autherization.

>
> No. This is strictly Oracle. The password file I am referring is one the DBA
> creates to provide selected users with the privileges of a SYS user, the most
> powerful.
>
> This password file is created with the orapwd utility from Oracle, from the o/s
> command line (and with the database shutdown).

Can this be done with an SQL command in SVRMGRL?

I try to userstand how things are done before leaning on automated tools. It helps me understand things.

> Once this password file is created, the SYS user (and let's assume you can
> connect as SYS) can give this privilege to other people by granting SYSDBA
> and/or SYSOPER to another database user.

Through /etc/group authorization into the DBA group?

> Let's say that user "Jean" works with you as assistant DBA and you want to give
> her SYS privileges (startup, shutdown etc.). You can do two things. Just give
> her the SYS password. The second, you create the password file we are talking
> about.
>

I can't just include her into group DBA? Or is this an in addition to putting her in group DBA, and then creating the password file for accountability? Of course this accountablity is needed as you outline ---

>
> Following with the second option,

OK - The first option was to create the Password file. Now the second option is to use the SQL command GRANT

Am I understanding this correctly?

> then connected as SYS ( or internal, which is
> the same) you grant Jean SYSDBA (and/or SYSOPER) privileges. However, Jean is
> not part of the dba group yet. For her to connect with SYS privileges, the
> parameter REMOTE_LOGIN_PASSWORDFILE needs to be set to EXCLUSIVE, as long as
> Jean knows the password from the password file. If it is set to NONE, then only
> you (SYS) can connect. Jean will have insufficient privileges.
>

Unless she is added to the correct group - if I'm following correctly.

> Another option is to make Jean part of the dba group. This way she can log in
> as SYS without the need of any password. This is what I think your
> documentation calls to be o/s authenticated. In this case, you can set
> REMOTE_LOGIN_PASSWORDFILE to NONE and Jean can still connect.
>

I think I understand.

So without her being a member of the group, she can get the sys role if the password file is created. The REMOTE_LOGIN_PASSWORDFILE parameter can bypass the /etc/group settings if it is set to EXCUSSIVE. Otherwise, she needs to be  part of the group dba on the OS level.

Ruben <<The internal password holder should have granted you the SYSOPER and/or
> SYSDBA privileges.>>This is done through the /etc/groups permisions I assume as described in the intallation documents?>>
>>>
 

DR <<<No. Again, this is strictly Oracle. This is done from server manager,  connected as sys with the command: "Grant sysdba (and/or sysoper) to jean".>>> OK
I'm granting permisions through Oracle and an external Password File  



$ops Prefix:

Ruben >>I'm also still confused about why we want to use a prefix.
>>I'm not understanding exactly the advantage it creates for me and the reason
> it gives me this advantage.>>>

>This is a separate issue altogether. As a DBA, you create scripts for a lot of
> things. One of them is to backup your database every night, using a hot
> backup. For this, you have to log in into an account with DBA privileges. So,
> your script has to be able to log into that account. Since your script can be
> read by other people (specially if you keep paper records) you do not want to
> have the DBA account password displayed. So, what you do is to have the account
> authenticated by the o/s and use "sqlplus /" and you are logged in. As a
> matter of fact, that is what your script will display.
>
> Let me correct myself from my previous post, you do not need to belong to the
> dba group to be authenticated this way.
>

OK

So this is where we can do authentication using the user name from the OS. It prefixes the $OPS to give sys authoirzation within Oracle?

> I think the best way to learn all this is by setting your own system and make
> some experiments. Get Linux and set it up in your PC as a 2nd o/s. Linux and
> Unix are very much alike. Get Oracle for Linux and once you have it ready,
> you can be DBA and sysadmin. You can make all kinds of experiments and learn
> that way, knowing that you won't mess up anything. Linux is quite inexpensive,
> and Oracle is about $5.00, if you get the trial version (which works as well as
> the full blown).
>
> DR
>

:)

You are talking to the choir. I'm running a Linux Network at NYU. The prefix still has me confused though. It's creating within me what we used to call in the army - a brain cramp

Also known as Paralysis of analyzsis

>
>
>
>
>
>
>
>

--
Ruben I Safir
ruben_at_wynn.noSppam.com

http://www.brooklynonline.com
Manager of Intranet Development NYU College of Dentisty Resume: http://www.wynn.com/jewish/resume.html

Perl Notes:
http://www.wynn.com/jewish/perl_course Received on Mon Nov 08 1999 - 10:53:47 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US