Re: Users identified by passwd may also be identified externally

In article <cj10.28.000A5827_at_ucs.cam.ac.uk>, cj10_at_ucs.cam.ac.uk (C.J.Jardine) wrote:
>
> This is a change between 7.0.15 and 7.0.16.
>
> Under 7.0.15, if OS_AUTHENT_PREFIX was set to "", it behaved as Alain
> described. Under 7.0.16, toto can only log on without a password if
> the oracle account is IDENTIFIED EXTERNALLY. One can never log on
> without a password to an IDENTIFIED BY <password> account.
>
> (As a compatibility hack, you still get the 7.0.15 behavour if the
> OS_AUTHENT_PREFIX still has its default value of OPS$).
>
> This change has caused me considerable grief, and forced me to make my
> server less secure by storing passwords in files. Oracle have said that
> they are closing a security loophole, and will not change it back.
> I would be interested to hear from anyone else who regrets the change.
> If there were enough of us, we ming be able to persuade Oracle to
> install an option to restorethe previous behaviour.
>
> Charles Jardine. University of Cambridge.

they implied they *might* fix it at one of the IOUW "Ask Oracle" sessions.

i agree with you. the way it works now is a big pain for us. we're going to be in transition mode between host-based and client/server for years. we don't really need proxies in our environment so there is no security risk.

what can we do to persuade them to fix this *soon*?! Received on Thu Oct 06 1994 - 19:17:53 CET