Re: how to disable abuse of OPS$-accounts

I'm not sure if this is an option for you, but Oracle on Netware solves this problem by using NDS authentication. You can authenticate users via the OS, but they must be logged in to NDS before they can access the database. They can't fake out Oracle by changing their id in the oracle.ini file (Windoze) or the registry (Windoze 95) because REMOTE_OS_AUTHENT is set to false. It's only a problem if one user steals a login/password from another user. It's a really nice feature, but does not do you much good if you are set on Unix/VMS.

Jim Anderson

Mr. Holland wrote:

> When using Oracle in server based applications on a OpenVMS or Unix
> server, one can use operating system identification by using
> OPS$-accounts.
>
> These accounts are recognized by Oracle as being OS-accounts so it skips
> futher authentication. This feature was very helpful when users were not
> used to eery things like logging in and had just one application anyway.
>
> But nowadays they use PC with windows and terminals mixed. The problem
> is that a user when using a sqlnet connection can login using
> OPS$-accounts that don't belong to them without further authentication.
>
> My question is: are there patches or work arounds to fix this or the
> catch sqlnet users to use OPS$-accounts.
>
> a partial block is to use the validnode parameter in the protocol.ora
> but this does only block the outside world, not the internal users.
>
> If you have any hints or even solution, please let me know.
>
> Roeland
Received on Wed Jan 14 1998 - 00:00:00 CST