Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OS Authentication with winXP client Linux Server

Re: OS Authentication with winXP client Linux Server

From: hpuxrac <johnbhurley_at_sbcglobal.net>
Date: Wed, 01 Aug 2007 18:10:59 -0700
Message-ID: <1186017059.401767.299510@e16g2000pri.googlegroups.com>


On Jul 29, 11:05 pm, hjr.pyth..._at_gmail.com wrote:
> On Jul 28, 12:14 am, "fitzjarr..._at_cox.net" <fitzjarr..._at_cox.net>
> wrote:
>
>
>
>
>
> > On Jul 27, 8:38 am, "Matthias Hoys" <a..._at_spam.com> wrote:
>
> > > <fitzjarr..._at_cox.net> wrote in message
>
> > >news:1185540761.531273.313830_at_d30g2000prg.googlegroups.com...
>
> > > > On Jul 27, 1:00 am, Dazza <DarylFer..._at_gmail.com> wrote:
> > > >> Thanks for taking the time to reply.
> > > >> However, OS Authentication does actually work on clients aswell.
>
> > > >> The doco suggests throughout that the setting in sqlnet.ora be set to
> > > >> SQLNET.AUTHENTICATION_SERVICES= (NTS) on both the server and the
> > > >> client...suggesting that it does work on both.
>
> > > >> >From my personal experience, my previous company did indeed have it
>
> > > >> working on the clients - the difference being they had windows servers
> > > >> aswell as windows clients, whereas here I have a linux server and a
> > > >> windows client.
>
> > > > My guess is you do not have the remote_os_authent parameter set to
> > > > TRUE on the server. I have several databases using external
> > > > authentication from Windows clients and it works quite well.
>
> > > Are those databases on UNIX or Linux ? And you don't have Oracle Internet
> > > Directory installed on the database server ? I wonder if this works then ?- Hide quoted text -
>
> > > - Show quoted text -
>
> > The databases are on UNIX and the Windows clients authenticate without
> > issue.
>
> > David Fitzjarrell
>
> I preface everything I'm about to say with the words, 'This is
> addressed to the world in general and not David in particular'.
>
> But anyone that runs REMOTE_OS_AUTHENT=TRUE on a production server is
> asking for really, really bad trouble and needs to examine their head
> very closely,,, and then stop using it immediately.
>
> It means that if I were your cleaner, janitor or nightime security
> guard I would simply need to bring in my teenage son's laptop one
> night, plug it into your network, and I then have access to your
> database. My laptop, after all, will happily authenticate me as a
> valid user of that laptop. REMOTE_OS_AUTHENT=TRUE then states that
> such validation is sufficient to get me access to your database. It
> doesn't bear thinking about.
>
> So, it's no wonder "Windows clients authenticate without issue":
> practically the entire WORLD could authenticate without issue! That's
> really not something you would want for a database whose data you
> cared about.
>
> It's discussed here:http://www.dizwell.com/prod/node/210
> (where David Aldridge uses the 'you want your head tested' line I was
> tempted to use here!)
>
> It's also discussed here:http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1...
> (where Tom is moved to say, "remote_os_authent is not a very secure
> setting" and "they have remote_os_authent set -- meaning they have the
> least secure system on the planet. you must set that false")
>
> In answer to the specific question asked by the original poster, no
> amount of fiddling is going to get a Windows user's OS account
> authenticated on a Linux server, unless remote_os_authentication is
> set to the suicidal value of TRUE. As the OP initimated, messing
> around with sqlnet.ora values is only going to be helpful in an all-
> Windows environment.
>
> Regards
> HJR
Thanks Howard for your helpful reply in this thread.

Some of the postings that followed this one in the thread make me somewhat nervous. Obviously it was dangerous for one of the people responding to point out this parameter setting without all the caveats expressed above.

Then the discussion got somewhat heated with questions about who authorized this setting, was management are of the implications etc. One of the people volleying back responded that all of the warnings had been made but ignored etc.

I think it's pretty dangerous putting out in a public place like cdos this explicit of a discussion. It's not hard to try and figure out where people are working etc. If some kind of exploit or tampering of data was done based on the setting discussed, then watch out for the lawyers and the suits.

Taking discussions like this offline might be a good choice IMHO. Received on Wed Aug 01 2007 - 20:10:59 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US