Re: Connecting as internal across SQL*Net v1.

From: jwheat <jwheat_at_bftzha8>
Date: 12 Dec 1994 21:44:50 GMT
Message-ID: <jwheat-1212941647340001_at_47.22.160.113>


In article <RWESSMAN.94Dec12075941_at_rwessman.us.oracle.com>, rwessman_at_rwessman.us.oracle.com (Rick Wessman) wrote:

> In article <3c63fj$l96_at_fang.dsto.gov.au> dip_at_mod.dsto.gov.au (David) writes:
>
> >
> >Oracle v7.1.3
> >SQL*Net v1
> >SunOS 4.1.3
> >
> >Hi All,
> >
> >I'm having a few problems connecting as internal over SQL*Net 1
> >and since Oracle support don't seem to have a solution I'm just
> >wondering if anyone of you out there may have had the same
> >problem and knows how to solve it.
> >
> >The problem is when trying to connect as internal over the
> >network (SQL*Net 1) I get the error:
> >
> > SQLDBA> connect internal
> > Password:
> > ORA-01031: insufficient privileges
> >
> >If though I'm on the server running Oracle and the enviroment
> >variable TWO_TASK is unset I am able to connect as internal
> >(and no password is prompted for).
>
> If you are using a SQL*Net protocol which is determined to be
> non-secure, then Oracle will prompt you for a password because it cannot
> determine securely that you can become the DBA. If the TWO_TASK variable
> is not set, the default is to use the pipe driver. Since the Oracle
> server is the child of the client, it is possible for the server to
> determine the user ID of the client securely. It can then consult the
> operating system to see if you can become the DBA.
>
> >
> >I have set the remote_os_authent and remote_os_roles oracle
> >variables to be true in the init.ora file for the db and
> >shutdown and restarted the db but still no luck.
> For "normal" (non-DBA) users, this will work. But, because the
> "internal" user is so powerful, it won't.

We're experiencing a challenge of a slightly different nature. We wish to connect Mac's and PC's to a HP Server using SQL*NET V1 (1.1 on the server and 1.5 on the clients).

We currently use Security Dynamics/ACE SecurID cards to authenticate telnet sessions.

The question is: Is it possible/pratical to intercept SQL*NET (ORASRV) at or prior to connect time and issue a system call? We need to make an API call to the Secuity Dynamics software to validate the card number and PIN. If the user fails the authentication, we need to be able to stop the database connection. ORASRV seems to bypass the INETD Deamon - Can anyone confirm or deny this?

We have implemented a similar solution for DAL/INFORMIX by intercepting the INETD and passing the information to REXEC and then make the API call to the Secuity Dynamics software.

Oracle marketing has indicated that they are prepared to implement such a feature in a future version of SQL*NET, but we have an immediate need.

Please post your replies to this group.

Thanks, in advance

Jon Wheat Received on Mon Dec 12 1994 - 22:44:50 CET

Original text of this message