Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: remote_os_authen and security
A copy of this was sent to Ton Raaijmakers <torgan_at_worldonline.nl>
(if that email address didn't require changing)
On Tue, 23 Feb 1999 08:52:12 +0100, you wrote:
><!doctype html public "-//w3c//dtd html 4.0 transitional//en">
><html>
>Our application builders uses the / to let users login into
>the database.
><br>For example runform50 / <form>
><p>They also set the parameter TWO_TASK. Inorder to use TWO_TASK you
><br>have to set remote_os_authen in the init.ora to yes.
><p>The result is, from any other host a user can login without a password.
><br>On a windows 95 pc you can set in your registry a username wich is
>know
><br>to Oracle, and you don't have to use a password.
><p>When the users are working from the Unix platform I don't have a problem
>with
><br>it, because the HAVE to login in Unix.
><p>If I set remote_os_authen to no then the TWO_TASK is not accepted.
><p>How can I solve this security issue?
><p>Thanks,
><p>Ton Raaijmakers
><br>Gemeente Dordrecht
><br>
><br>
><br>
><br>
><br> </html>
Don't use remote_os_authent then... As you have noted, 'secure' little operating systems like win95 let you become whomever you want (don't even need the registry thing, just make up a new login name).
in a network environment where you do not have total control over the machines that can log into the server, don't use remote_os_authent.
The only time it is marginally secure is when
in that way, a small set of trusted machines can use the / login over the network with remote_os_authent = true. any machine not in the protocol.ora list of allowed machines won't be able to sqlnet in even with a username and password.
Thomas Kyte
tkyte_at_us.oracle.com
Oracle Service Industries
Reston, VA USA
--
http://govt.us.oracle.com/ -- downloadable utilities