Re: Users identified by passwd may also be identified externally

From: C.J.Jardine <cj10_at_ucs.cam.ac.uk>
Date: Thu, 6 Oct 1994 10:20:35
Message-ID: <cj10.28.000A5827_at_ucs.cam.ac.uk>

In article <Cx6zKB.DGt_at_nl.oracle.com> cgohring_at_lucifer (Carl Gohringer) writes:

>Alain.Viret_at_ls.ubs.ubs.ch (Alain VIRET) writes:
>:
>: With Oracle 7.0.15.4 (Solaris 2.3), when we define an user with the command:
>: create user toto identified by titi
>: If an Unix toto exist, it may execute sqlplus / and enters in the
>: database.
>:
>: With another instance and version (7.0.16.x), with the same command
>: of the user's creation, the user Unix toto may not enters in the
>: database without giving its password (titi in the example).
>:
>:
>: Is it a bug or a known feature or a different parameter ?

>Most likely NOT a bug. Sounds like an OS authenticated account.
>This is the same as OPS$ accounts in v6, however, in Oracle7, you are allowed
>to change the OPS$ to any string you like.
>This is done via the OS_AUTHENT_PREFIX in the INIT.ORA(the default value
>for this is still OPS$)

>If, for example, you have an OS account X, a Oracle account ZZZX, and
>OS_AUTHENT_PREFIX=ZZZ, then user X would connect to Oracle account ZZZX byt
>typing sqlplus /

No.

This is a change between 7.0.15 and 7.0.16.

Under 7.0.15, if OS_AUTHENT_PREFIX was set to "", it behaved as Alain described. Under 7.0.16, toto can only log on without a password if the oracle account is IDENTIFIED EXTERNALLY. One can never log on without a password to an IDENTIFIED BY <password> account.

(As a compatibility hack, you still get the 7.0.15 behavour if the OS_AUTHENT_PREFIX still has its default value of OPS$).

This change has caused me considerable grief, and forced me to make my server less secure by storing passwords in files. Oracle have said that they are closing a security loophole, and will not change it back. I would be interested to hear from anyone else who regrets the change. If there were enough of us, we ming be able to persuade Oracle to install an option to restorethe previous behaviour.

Charles Jardine. University of Cambridge. Received on Thu Oct 06 1994 - 10:20:35 CET

This message: [ Message body ]
Next message: L. Carl Pedersen: "Re: Users identified by passwd may also be identified externally"
Previous message: Doug Harris: "Re: Version control tools"
Maybe in reply to: Alain VIRET: "Users identified by passwd may also be identified externally"
In reply to Carl Gohringer: "Re: Users identified by passwd may also be identified externally"
Next in thread: L. Carl Pedersen: "Re: Users identified by passwd may also be identified externally"
Reply: L. Carl Pedersen: "Re: Users identified by passwd may also be identified externally"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message