Re: Question about OPS$LOGIN and Oracle Passwords
Date: 16 Dec 92 22:37:46 GMT
Message-ID: <24727_at_suned1.Nswses.Navy.MIL>
In article <1992Dec14.200952.22697_at_netcom.com> sjs_at_netcom.com (Stephen Schow) writes:
>We routinely use the OPS$LOGIN feature of Oracle for all of our users. This
>way they don't have to worry about anything once they are logged onto the
>UNIX machine. They just type program / to run it with their UNIX login info.
>
>Question:
>
>When we create a new user as follows:
>
> grant connect to ops$user identified by bogus;
>
>and we actually use the word 'bogus' as the oracle password.
>
>Does this mean that user ops$user could login to Oracle with either
>the /, which would use his UNIX login info, or with 'bogus' as the
>password?
IN UNIX (sunos4.12) the conventions
sqlplus /
sqlplus OPS$user/bogus
will both work
>Could a user go into sql*plus with any convienient name and type
>
> connect ops$user/bogus
>
>to get into that user's oracle accoun
Emphatically YES
This is a known security hole in the OPS$ user under oracle 6.. I am not aware of the fix if any in trusted oracle or in oracle7.
Not only is it a bad Idea to use the OPS$user/bogus scheme but it is also bad to use the OPS$user/(Unixpassword) scheme as that will actually make a unix password violation more likely as now the user and the dba know the password of the OPS$ oracle user.
I use the following method.
- locate webster's latest.
- drop on desk to open book
- close eyes and point to page
- pick closest word
- break word somwhere with _DD_ where DD is number of day.
- issue grant command to create new user
- close webster and forget word.
Funk and Wagnels will work as well.
If I need access to a users account as that user I can always do another grant to change his pw or since I have su status become him long enought to do the job.
-- |suned1!lev_at_elroy.JPL.Nasa.Gov|lev_at_suned1.nswses.navy.mil|sun!suntzu!suned1!lev| |S.T.A.R.S. The revolution has begun!| My Opinions are Mine mine mine hahahah!|Received on Wed Dec 16 1992 - 23:37:46 CET