Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: As oracle/dba still need internal passwd.. why?

Re: As oracle/dba still need internal passwd.. why?

From: Howard J. Rogers <howardjr_at_www.com>
Date: Tue, 13 Feb 2001 10:10:03 +1100
Message-ID: <G9_h6.169$305.62009@inet16.us.oracle.com> 







"Niall Litchfield" <n-litchfield_at_audit-commission.gov.uk> wrote in message
news:9692al$9v8$1_at_soap.pipex.net...


> a much fuller summary than mine , which ommitted SHARED (to avoid

 confusion


> since it is my understanding that oracle will also check the os when this

 is


> set, as well as the password file - I am more than willing to be

> corrected ). My understanding of Oracle's 'position' came from this bit of

> the docs

>

> Suggestion:

> To achieve the greatest level of security, you should set the

> REMOTE_LOGIN_PASSWORDFILE file initialization parameter to EXCLUSIVE

> immediately after creating the password file.

>

>

>

> obviously this is a 'suggestion' not a firm recommendation. Incidentally

 the


> 8.1.6 docs state that the default for this parameter is none.

>




Interesting.  I've just installed 8.1.7, and got the default ORCL database
created.  The init.ora it generated for me has remote_login_passwordfile set
to "exclusive".  When I rem that out, and restart the database, I do indeed
get NONE as the setting.



So -my apologies.  I've mistaken the starter database defaults for the
actual Oracle defaults.



Regards


HJR







>

> --

> Niall Litchfield

> Oracle DBA

> Audit Commission UK

>

>

>

> "Howard J. Rogers" <howardjr_at_www.com> wrote in message

> news:3a87d5ad_at_news.iprimus.com.au...

> > remote_login_passwordfile can be set to SHARED, EXCLUSIVE or NONE.

> >

> > NONE means all DBA work is done by walking into a secured server room to

> > perform DBA actions.... it's a secure environment, no-one is likely to

 be


> > able to walk up to the computer I am using and assume my identity,

 no-one


 is


> > likely to be able to watch over my shoulder as I log on.  All

 verification


> > is handled by the O/S, and since no-one else can access the O/S via my

> > terminal, it's entirely secure.  Given that I've had to provide a keypad

> > password to the server room itself, plus log on to the Unix box with the

> > requisite username and password, I don't see why Oracle should itself

> > require further proof of identity!

> >

> > EXCLUSIVE means I log on as a DBA in the outside world (a terminal in an

> > open plan office, which I leave from time to time, so anyone could walk

 up


> > to it and assume my identity).  Even if I leave my terminal logged on to

 the


> > domain, connections to Oracle will require the supply of an additional

> > password, so as long as I don't leave myself logged in to Server

 Manager,


> > things are pretty safe.  What's more, we have three databases to manage,

 and


> > I only look after one of them.... the other two don't want me on their

> > database, and I don't want them on mine.

> >

> > SHARED means all of the above, except that the three of us work as one

 team,


> > and I can look after their databases as much as they can look after

 mine.


> > So who needs private, database-specific passwords?  We just want one set

 of


> > passwords which will give all of us privileges on each of the databases.

> >

> > There's no preferred setting on Oracle's part (though EXCLUSIVE is the

> > default).  It all depends entirely on where you are, what you are doing,

 and


> > what your DBA'ing environment is.

> >

> > Regards

> > HJR


> >

> >

> > "Niall Litchfield" <n-litchfield_at_audit-commission.gov.uk> wrote in

 message


> > news:968ji4$116$1_at_soap.pipex.net...

> > > I see no-one else has responded yet. in order to connect with sysdba

> > > privileges you are authenticated to oracle in one of two ways. Your

 system


> > > looks to be set up for password file authentication eg in your

 init.ora


 you


> > > have the line

> > >

> > > remote_login_passwordfile=exclusive.

> > >

> > > the alternative is to allow operating system authentication of sysdba

 users.


> > > this is done by setting

> > >

> > > remote_login_passwordfile=none

> > >

> > > My reading of the documentation suggests that the exclusive setting is

> > > preferred by oracle since you would then need to know two passwords

 (an


 os


> > > one and an oracle one) in order to perform sysdba type actions. This

 seems


> > > pretty reasonable to me.

> > >

> > >

> > > --

> > > Niall Litchfield

> > > Oracle DBA

> > > Audit Commission UK

> > > "Tony Adolph" <tony.adolph_at_viaginterkom.de> wrote in message

> > > news:95ugre$tbk$1_at_nnrp1.deja.com...

> > > > Hello All,

> > > >

> > > > I am building a new database (Ora 8i) on Solaris 2.6.  I have used

 the


> > > > db assistant to create the create scripts and I have set ORACLE_HOME

> > > > and ORACLE_SID to the new values.  But I have a problem: from the

> > > > oracle account (with dba group) I cannot connect internal using

 SVRMGRL



> > > > without a password.  I used orapwd to create a password and it

 works.


> > > > But why do I need the password when I'm logged in as oracle and am a

> > > > member of the dba group?

> > > >

> > > > Any clues folks?

> > > >

> > > > Cheers

> > > > Tony.

> > > >

> > > >

> > > > Sent via Deja.com

> > > > http://www.deja.com/

> > >

> > >

> >

> >

>

>

Received on Mon Feb 12 2001 - 17:10:03 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US