Re: Database Links and security
Date: 4 Aug 1993 06:55:35 GMT
Message-ID: <23nmh7INNjnq_at_gap.caltech.edu>
ttg242_at_newton.sps.mot.com (David Thornewill von Essen) writes:
>In article mla_at_132.203.6.11, mla_at_132.203.6.11 (Michel Lalonde) writes:
>>If we create the database link with the 'connect to' option,
>>password changing for those super-users can by managed by a dba
>>but then, anyone who can read the data dictionnary ('select any
>>table' is so practical for developers), can read the password ...
>>Is there any known solution ...
>>
>How are they going to read the password??? Only the DBA has access
>to encrypted values of the password (not the password itsself), and
>I wouldn't recommend placing production tables in a DBA account,
>or am I missing something??
>Regards,
>David TvE
David,
USERNAME PASSWORD ------------------------------ ------------------------------HOST
CREATED
AVALINK2.WORLD
SCOTT TIGER
ava2_x7
03-AUG-92 23:34:59 avalon-v7sql>
SO FOLKS --
Here's my solution:
-Acquire a client/server network that manages userid's via NIS (aka YellowPages).
-Set up all of your userid's in NIS
-Create corresponding ops$accounts on all of the databases with random generated passwords; not even the dba knows what they are. In fact each database/user combo has a DIFFERENT password by design to enhance security.
-Create all of the needed db links (but not using CONNECT TO)
The beauty of this solution is each user needs to know only his/her network password. When he/she connects to Oracle he/she connects using / which hooks him/her up to the coresponding ops$account.
All user authentication is handled by NIS when the user logins to his/her workstation or pc.
I think the biggest NIS vendor is Sun.
-Dan
Daniel B. Bikle
Independent Oracle Consultant
dbikle_at_alumni.caltech.edu
415/854-9542
Received on Wed Aug 04 1993 - 08:55:35 CEST