Proxy accounts and SQL*Net
Date: 5 Apr 94 14:08:36 EST
Message-ID: <1994Apr5.140836.1_at_corp02.d51.lilly.com>
We are beginning to move to having ORACLE-only database servers. Tools such as SQL*Plus, SQL*Forms, etc., will be run from an appliation server and use SQL*Net to access the oracle data.
I am attempting to find out if there is a way to offer ops$ login to the server in a secure environment. My initial conclusion is that it can't be done, but I wanted to see if anyone out on the net had any suggestions.
In our current environment (oracle and the tools on the same machine), we use the ops$ login accounts to allow applications to submit batch jobs that log into ORACLE using just a /. They do not hard-code passwords into their DCL (VMS) or shell scripts (UNIX).
I don't see how I can duplicate that when the database is remote. SQL*Net allows proxy logins, but if I turn it on, mac, pc, and some unix users can change their local id and proxy in as whoever they want. If I use the VALIDNODES option to specify only those nodes where I feel comfortable with their security, I prevent macs and pcs from connecting with a legitimate oracle username/password.
What I want is to be able to specify a list of nodes from which I will accept proxy logins. I would still accept connections from other nodes, but they would have to specify a userid/password.
I think that my only option is to prevent proxy logins, and require the batch jobs to hard-code their passwords. I don't like the idea of hard-coding passwords, but it is better than giving people the ability to proxy in as whoever they want.
Does anyone else have any other suggestions?
-- Bob Swisshelm | swisshelm_at_Lilly.com | 317 276 5472 Eli Lilly and Company | Lilly Corporate Center | Indianapolis, IN 46285Received on Tue Apr 05 1994 - 21:08:36 CEST