OPS$LOGIN :security hole?

From: Lewis W Kellum <lwk_at_engin.umich.edu>
Date: Wed, 16 Dec 92 12:45:15 EST
Message-ID: <8aT=R#A_at_engin.umich.edu>

In article <1992Dec15.144220.25349_at_relay.nswc.navy.mil> rlarson_at_nswc-wo.nswc.navy.mil (Ruth Larson) writes:
>
>Steve Schow writes:
>>We routinely use the OPS$LOGIN feature of Oracle for all of our users. This
>>way they don't have to worry about anything once they are logged onto the
>>UNIX machine. They just type program / to run it with their UNIX login info.

>>Question:

>>When we create a new user as follows:

>> grant connect to ops$user identified by bogus;

>>and we actually use the word 'bogus' as the oracle password.

>>Does this mean that user ops$user could login to Oracle with either
>>the /, which would use his UNIX login info, or with 'bogus' as the
>>password?
>
>Yes, this is EXACTLY the case.
>
>>Could a user go into sql*plus with any convienient name and type

>> connect ops$user/bogus

>>to get into that user's oracle account
>
>Again, Yes.
>
>>We routinely use bogus to define new oracle users, but I am concerned about
>>security loop holes. We also use a number of macintosh client products that
>>use the ops$user with the UNIX password to login. I am beginning to think
>>that we should make sure that the Oracle password is the same as the UNIX
>>password and NOT use bogus for everyone?!_at_#%
>
>I would NOT suggest making the Oracle password the same as the system password.
>In many systems the logon password should only be known by the individual
>user. However, there's now need for *anyone* to have to know the ops$ password
>for an individual user - he/she doesn't need to know it, and the DBA can
>always reset it without the user even being aware that it has been reset.
>So use something random, and different for each ops$ account. I like to pick
>a 3 or 4 digit (or larger) number and then spell it out in words. Example:
>two_thousand_three_hundred_eleven. *Nobody* including you will remember
>*that*, and it's pretty hard to guess!

Here's another question: If I know Mr.Schow's unix login id, and the internet hostname of his Oracle server, what keeps me from creating his login id on my host and connecting to his ops$ oracle account? - Woody Kellum Received on Wed Dec 16 1992 - 18:45:15 CET

This message: [ Message body ]
Next message: Bailey Bob: "Re: OPS$LOGIN :security hole?"
Previous message: Marek Pytlik: "Re: OPS$LOGIN : security hole?"
In reply to Stephen Schow: "Question about OPS$LOGIN and Oracle Passwords"
Next in thread: Stephen Schow: "Re: OPS$LOGIN :security hole?"
Reply: Bailey Bob: "Re: OPS$LOGIN :security hole?"
Reply: Dale Cook: "Re: OPS$LOGIN :security hole?"
Reply: Marek Pytlik: "Re: OPS$LOGIN : security hole?"
Maybe reply: Joel Fedorko: "Re: OPS$LOGIN :security hole?"
Reply: Stephen Schow: "Re: OPS$LOGIN :security hole?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message