| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Rumor Breaking
Thomas Gaines wrote:
> Daniel -
>
> I'm pretty familiar with this gaping hole, but I don't believe for
> a second that there's anything that anyone can do to the listener.ora
> file to block access. Instead, a DBA should set REMOTE_OS_AUTHENT
> to FALSE in the init.ora file to turn off remote operating system
> authentication.
>
> While I don't have any experience connecting to an Oracle database
> via the Mac or OS/2, I've demonstrated the lack of security when
> connecting from a Win95 or Win98 box. It's painfully easy to simply
> masquerade as another user and cause all sorts of havoc to someone
> else's Oracle account.
>
> Connections from a WinNT or Win2000 box are just fine due to the
> logins that those operating systems require.
>
> Is this what you had in mind?
>
> Bye,
> TG
>
> Daniel Morgan wrote:
>
> > I found the following text somewhere and saved it in the hope of
> > figuring out something I didn't know.
> >
> > "Automatic logins by PC, Apple MacIntosh, and OS/2 users are not secure.
> > Anyone can edit the Oracle configuration file and change their user ID.
> > For security reasons, if users of these systems are logging in over the
> > network, Oracle Corporation strongly recommends you disable the ops$
> > logins in the listener.ora."
> >
> > Unfortunately, after diligent research, I can not find any referene to
> > disabling externally authenticated accounts in listener.ora.
> >
> > Can someone please point me to a source document that explains the
> > connection?
> >
> > Thanks.
> >
> > Daniel Morgan
>
> --
> =====================================================
> Thomas Gaines
> Professional Research Assistant / Senior DBA
> CIRES, NGDC/NOAA
> 303.497.3798 (office)
> 303.912.1241 (cell)
> thomas.gaines_at_noaa.gov
> =====================================================
I am aware of the init.ora solution but I got that text snippet from one of my students, I think, and was trying to track it down as I had never heard of such a thing being possible. When research failed I thought I'd ask a wider audience.
My only interest is in presenting accurate information when I teach.
The only thing I like OPS$ accounts for, myself, is running jobs on the server and avoiding the security issues related to putting user-id and password into a Korn Shell or Perl script.
Daniel Morgan Received on Wed May 08 2002 - 10:25:19 CDT
 |
 |