Re: DB appl. login security questions

In article <Cnsspr.HBu_at_fc.hp.com>, Brian Atkins <atkins_at_fc.hp.com> wrote:
>I am developing (actually, porting from Ingres) an application on Oracle.
>In my prototype, I use environment variables to configure the SID, user and
>password the application should use. This isn't very secure, however, and
>I need to come up with a better strategy.

If the client machine uses its own user validation (e.g., unix, vms, NT) then you can employ oracle remote authenication. this says that if the user is validated by the client, then oracle accepts the user on the server side without a further userid/password interchange. you do this by enabling proxy logins on the server, then the client connects via sql*net with userid "/", that is, null userid/null password. the internal oracle userid is built up from the client's validated userid, usually ops$x when the client userid is x.

If the client runs dos or win, then there is of course no actual validation, only the environment variables which can be changed to become any userid. this still works, but in this case the security is crummy. there is no solution other than to demand a userid/password in a dialog box in the application itself, which must then be transmitted via sql*net. obviously if i have a line monitor i can observe your password flying by.

since client security depends either on the client o/s or transmission of security keys over an open network, you have to balance convenience with paranoia.

-- 
Dave Mausner / Sr Consultant / Braun Technology Group / Chicago, IL USA
No opinions have been expressed.              Motto: "Show me the code"