Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: remote OS authentication?

Re: remote OS authentication?

From: Andy <andy.spaven_at_eps-hq.co.uk>
Date: Fri, 2 Aug 2002 09:53:32 +0100
Message-ID: <WHr29.277$9R.1397603@newsr2.u-net.net> 





Ed



Sybrands reply isn't quite the whole picture in cases where your connection
is secure (TCP/IP isn't).  Ignore Sybrands last paragraph - he's missed the
point as it's clear you don't want an unsecure database.  The only partly
valid point is that SYSDBA might be a little strong for remote work most of
the time - SYSOPER role can do most/all of the things you'd typically need
to do remotely such as startup/shutdown etc.  This works just like SYSDBA
for logon "sqlplus user/password_at_node as sysoper".



"Ed Wong" <ewong_at_mail.com> wrote in message
news:a5ae1554.0208011526.654a634a_at_posting.google.com...


> If I set REMOTE_LOGIN_PASSWORDFILE to NONE, I can get the OS

> Authentication and logon LOCALLY on server as "connect / as sysdba" as

> long as I am in oracle dba group.  Can I do the same thing remotely

> from other server?  For example, can I do "connect /@proddb as sysdba"

> from other server?

>




Yes if you are using a secure connection but the most popular network
protocol (TCP/IP) isn't.  Check in your OS specific documents relating to
Net8.



> I know that if I set the password file with REMOTE_LOGIN_PASSWORDFILE

> = EXCLUSIVE, I can do "connect scott/tiger_at_prodb as sysdba".  But I

> don't want to specify username/password as I am implementing some

> remote scripts and I don't want to put username/password in the

> script.

>

> I am using Oracle 8.1.7EE on Sun Solaris 2.7

>




Over unsecure connections you're going to need to use a password file and
username / password qualified logons.  Make sure the password is a strong
password and not some simple text string.



I seem to think the following is one solution - someone correct me if I've
goofed one of the steps or there is an easier way.
Assuming you're using UNIX as the remote box (remote from another DB
server) - If you want to avoid sqlplus appearing on a ps output with the
username, don't supply it as a command line parameter.  Either sqlplus
/nolog and then execute a connection script or pipe the username & password
into sqlplus using a wrapper script.  Make sure the (either) script is not
readable except by the DBA login.  That way the password is never visible
and the only time it travels the network is when sqlplus executes the login
(using it's own encryption).




> Thanks,

> ewong





Andy
Received on Fri Aug 02 2002 - 03:53:32 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US