In article <3CD94356.3FBF6FFE_at_exesolutions.com>, Daniel says...
>
>Thomas Gaines wrote:
>
>> Daniel -
>>
>> I'm pretty familiar with this gaping hole, but I don't believe for
>> a second that there's anything that anyone can do to the listener.ora
>> file to block access. Instead, a DBA should set REMOTE_OS_AUTHENT
>> to FALSE in the init.ora file to turn off remote operating system
>> authentication.
>>
>> While I don't have any experience connecting to an Oracle database
>> via the Mac or OS/2, I've demonstrated the lack of security when
>> connecting from a Win95 or Win98 box. It's painfully easy to simply
>> masquerade as another user and cause all sorts of havoc to someone
>> else's Oracle account.
>>
>> Connections from a WinNT or Win2000 box are just fine due to the
>> logins that those operating systems require.
>>
>> Is this what you had in mind?
>>
>> Bye,
>> TG
>>
>> Daniel Morgan wrote:
>>
>> > I found the following text somewhere and saved it in the hope of
>> > figuring out something I didn't know.
>> >
>> > "Automatic logins by PC, Apple MacIntosh, and OS/2 users are not secure.
>> > Anyone can edit the Oracle configuration file and change their user ID.
>> > For security reasons, if users of these systems are logging in over the
>> > network, Oracle Corporation strongly recommends you disable the ops$
>> > logins in the listener.ora."
>> >
>> > Unfortunately, after diligent research, I can not find any referene to
>> > disabling externally authenticated accounts in listener.ora.
>> >
>> > Can someone please point me to a source document that explains the
>> > connection?
>> >
>> > Thanks.
>> >
>> > Daniel Morgan
>>
>> --
>> =====================================================
>> Thomas Gaines
>> Professional Research Assistant / Senior DBA
>> CIRES, NGDC/NOAA
>> 303.497.3798 (office)
>> 303.912.1241 (cell)
>> thomas.gaines_at_noaa.gov
>> =====================================================
>
>I am aware of the init.ora solution but I got that text snippet from one of my
>students, I think, and was trying to track it down as I had never heard of
>such a thing being possible. When research failed I thought I'd ask a wider
>audience.
>
>My only interest is in presenting accurate information when I teach.
>
>The only thing I like OPS$ accounts for, myself, is running jobs on the server
>and avoiding the security issues related to putting user-id and password into
>a Korn Shell or Perl script.
>
>Daniel Morgan
>
This is definitely a typo. There is no way to prevent ops$ logins in
listener.ora. Init.ora has always been the place to do it.
Rick
Rick Wessman
Oracle Corporation
The opinions expressed above are mine and do not necessarily reflect
those of Oracle Corporation.
Received on Wed May 08 2002 - 16:24:55 CDT
