Re: Question about OPS$LOGIN and Oracle Passwords

lev_at_ipxed5.nswses.navy.mil (Lloyd E Vancil) writes:

>In article <1992Dec14.200952.22697_at_netcom.com> sjs_at_netcom.com (Stephen Schow) writes:
>>We routinely use the OPS$LOGIN feature of Oracle for all of our users. This
>>way they don't have to worry about anything once they are logged onto the
>>UNIX machine. They just type program / to run it with their UNIX login info.
>>
>>Question:
>>
 

>>Could a user go into sql*plus with any convienient name and type
>>
>> connect ops$user/bogus
>>
>>to get into that user's oracle accoun

>Emphatically YES

>This is a known security hole in the OPS$ user under oracle 6..
>I am not aware of the fix if any in trusted oracle or in
>oracle7.

The syntax in ORACLE7 would be:

        create user <user_name> identified externally;

The <user_name> would be something of the order OPS$DAVE, i.e.

        create user ops$dave identified externally;

This would create a database user called ops$dave identified by the operating system userid of dave.

However, you could specify
os_authent_prefix=""
in the init.ora file so that OPS$ would not be necessary, the same definition would then be

        create user dave identified externally;

This would create a database user called dave identified by the operating system userid of dave.

To prevent these accounts from being used over a network, set the following init.ora parameter

remote_os_authent=false (I'm not sure that I remember the name

                                exactly)

Hope this helps,
Dave Dargo (ddargo_at_oracle.com) Received on Thu Dec 17 1992 - 22:31:05 CET