Re: SQL*NET/orasrv security problem

From: Karel Sprenger <ks_at_ic.uva.nl>
Date: Wed, 6 Apr 1994 15:00:23
Message-ID: <ks.45.000F01C3_at_ic.uva.nl>


In article <2nu6lp$ng7_at_hafro.is> gunnaro_at_hafro.is (Gunnar Orvarsson) writes:

>Hi.
 

>We are running Oracle/7 and SQL*NET's orasrv on a Unix server. We would
>like to be able to connect to our database as ops$<user> from other machines
>on our network without having to specify a password, that is we would like
>to be able to use connection commands like 'sqlplus /', given the correct
>value of the TWO_TASK environment variable. Setting REMOTE_OS_AUTHENT =
>true in the init<sid>.ora file, seems to makes this possible.
 

>This would be great, if we could allow connections from CERTAIN MACHINES
>MACHINES ONLY, i.e. those that are on our network or in our administrative
>domain. But unfortunantely, this doesn't seem to be the way orasrv works.
>Allowing this kind of access to workstations on our network seems to enable
>users with the same login name on ANY machine on the Internet to connect to
>our database.
 

>So my question is:
 

>Does anyone know a way to make orsrv allow connections from certain machines
>only? Are there any ways at all to prevent logins from machines from the
>outside (and staying on the Internet)? Might there exist some public domain
>security packages to take care of this?

Maybe tcp wrapper can be used to restrict incoming tcp calls on port 1525 to certain IP addresses only? I'll ask Wietse Venema, the author.

Regards,
Karel

| Karel Sprenger                              | Email: ks_at_ic.uva.nl    |
| Informatiseringscentrum                     | phone: +31-20-525 2302 |
| Universiteit van Amsterdam                  |        +31-20-525 2741 |
| Turfdraagsterpad 9, NL-1012 XT AMSTERDAM | fax : +31-20-525 2084 | | *** PGP Public Key available on request *** | home : +31-20-675 0989 | Received on Wed Apr 06 1994 - 15:00:23 CEST

Original text of this message