Re: Question about OPS$LOGIN and Oracle Passwords

From: Lloyd E Vancil <lev_at_ipxed5.nswses.navy.mil>
Date: 16 Dec 92 22:37:46 GMT
Message-ID: <24727_at_suned1.Nswses.Navy.MIL>


In article <1992Dec14.200952.22697_at_netcom.com> sjs_at_netcom.com (Stephen Schow) writes:
>We routinely use the OPS$LOGIN feature of Oracle for all of our users. This
>way they don't have to worry about anything once they are logged onto the
>UNIX machine. They just type program / to run it with their UNIX login info.
>
>Question:
>
>When we create a new user as follows:
>
> grant connect to ops$user identified by bogus;
>
>and we actually use the word 'bogus' as the oracle password.
>
>Does this mean that user ops$user could login to Oracle with either
>the /, which would use his UNIX login info, or with 'bogus' as the
>password?

IN UNIX (sunos4.12) the conventions
sqlplus /
sqlplus OPS$user/bogus

will both work

>Could a user go into sql*plus with any convienient name and type
>
> connect ops$user/bogus
>
>to get into that user's oracle accoun

Emphatically YES

This is a known security hole in the OPS$ user under oracle 6.. I am not aware of the fix if any in trusted oracle or in oracle7.

Not only is it a bad Idea to use the OPS$user/bogus scheme but it is also bad to use the OPS$user/(Unixpassword) scheme as that will actually make a unix password violation more likely as now the user and the dba know the password of the OPS$ oracle user.

Since the OPS$ password need only be used once, in the grant command, the dba should be free to use any valid password, as long as it follows 2 conventions 1. the dba should be THE ONLY PERSON TO KNOW IT. 2. each one is unique (within reason here folks)

I use the following method.

  1. locate webster's latest.
  2. drop on desk to open book
  3. close eyes and point to page
  4. pick closest word
  5. break word somwhere with _DD_ where DD is number of day.
  6. issue grant command to create new user
  7. close webster and forget word.

Funk and Wagnels will work as well.

If I need access to a users account as that user I can always do another grant to change his pw or since I have su status become him long enought to do the job.

--
|suned1!lev_at_elroy.JPL.Nasa.Gov|lev_at_suned1.nswses.navy.mil|sun!suntzu!suned1!lev|
|S.T.A.R.S. The revolution has begun!|  My Opinions are Mine mine mine hahahah!|
Received on Wed Dec 16 1992 - 23:37:46 CET

Original text of this message