Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: As oracle/dba still need internal passwd.. why?

Re: As oracle/dba still need internal passwd.. why?

From: Niall Litchfield <n-litchfield_at_audit-commission.gov.uk>
Date: Mon, 12 Feb 2001 16:17:24 -0000
Message-ID: <9692al$9v8$1@soap.pipex.net> 






a much fuller summary than mine , which ommitted SHARED (to avoid confusion
since it is my understanding that oracle will also check the os when this is
set, as well as the password file - I am more than willing to be
corrected ). My understanding of Oracle's 'position' came from this bit of
the docs



Suggestion:


To achieve the greatest level of security, you should set the
REMOTE_LOGIN_PASSWORDFILE file initialization parameter to EXCLUSIVE
immediately after creating the password file.





obviously this is a 'suggestion' not a firm recommendation. Incidentally the
8.1.6 docs state that the default for this parameter is none.



--
Niall Litchfield
Oracle DBA
Audit Commission UK



"Howard J. Rogers" <howardjr_at_www.com> wrote in message
news:3a87d5ad_at_news.iprimus.com.au...


> remote_login_passwordfile can be set to SHARED, EXCLUSIVE or NONE.

>

> NONE means all DBA work is done by walking into a secured server room to

> perform DBA actions.... it's a secure environment, no-one is likely to be

> able to walk up to the computer I am using and assume my identity, no-one

 is


> likely to be able to watch over my shoulder as I log on.  All verification

> is handled by the O/S, and since no-one else can access the O/S via my

> terminal, it's entirely secure.  Given that I've had to provide a keypad

> password to the server room itself, plus log on to the Unix box with the

> requisite username and password, I don't see why Oracle should itself

> require further proof of identity!

>

> EXCLUSIVE means I log on as a DBA in the outside world (a terminal in an

> open plan office, which I leave from time to time, so anyone could walk up

> to it and assume my identity).  Even if I leave my terminal logged on to

 the


> domain, connections to Oracle will require the supply of an additional

> password, so as long as I don't leave myself logged in to Server Manager,

> things are pretty safe.  What's more, we have three databases to manage,

 and


> I only look after one of them.... the other two don't want me on their

> database, and I don't want them on mine.

>

> SHARED means all of the above, except that the three of us work as one

 team,


> and I can look after their databases as much as they can look after mine.

> So who needs private, database-specific passwords?  We just want one set

 of


> passwords which will give all of us privileges on each of the databases.

>

> There's no preferred setting on Oracle's part (though EXCLUSIVE is the

> default).  It all depends entirely on where you are, what you are doing,

 and


> what your DBA'ing environment is.

>

> Regards

> HJR

>

>

> "Niall Litchfield" <n-litchfield_at_audit-commission.gov.uk> wrote in message

> news:968ji4$116$1_at_soap.pipex.net...

> > I see no-one else has responded yet. in order to connect with sysdba

> > privileges you are authenticated to oracle in one of two ways. Your

 system


> > looks to be set up for password file authentication eg in your init.ora

 you


> > have the line

> >

> > remote_login_passwordfile=exclusive.

> >

> > the alternative is to allow operating system authentication of sysdba

 users.


> > this is done by setting

> >

> > remote_login_passwordfile=none

> >

> > My reading of the documentation suggests that the exclusive setting is

> > preferred by oracle since you would then need to know two passwords (an

 os


> > one and an oracle one) in order to perform sysdba type actions. This

 seems


> > pretty reasonable to me.

> >

> >

> > --

> > Niall Litchfield

> > Oracle DBA

> > Audit Commission UK

> > "Tony Adolph" <tony.adolph_at_viaginterkom.de> wrote in message

> > news:95ugre$tbk$1_at_nnrp1.deja.com...

> > > Hello All,

> > >

> > > I am building a new database (Ora 8i) on Solaris 2.6.  I have used the

> > > db assistant to create the create scripts and I have set ORACLE_HOME

> > > and ORACLE_SID to the new values.  But I have a problem: from the

> > > oracle account (with dba group) I cannot connect internal using

 SVRMGRL


> > > without a password.  I used orapwd to create a password and it works.

> > > But why do I need the password when I'm logged in as oracle and am a

> > > member of the dba group?

> > >

> > > Any clues folks?

> > >

> > > Cheers

> > > Tony.

> > >

> > >

> > > Sent via Deja.com

> > > http://www.deja.com/

> >

> >

>

>



Received on Mon Feb 12 2001 - 10:17:24 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US