Re: ops$ logins from both secure and nonsecure clients with same username

Wish I'd noticed this discussion earlier :-} We are struggling with something similar.

Until recently, we had used the Remote_OS_Authent to allow the remote connections...but then we only allowed such connections via DECNet with VMS Proxy mechanism giving us a higher degree of warm'n'fuzzies about the source than we get as we look at allowing TCP/IP connections...

What we would *like* is to enable Remote_OS_Authent for DECNet connections - and IPC connections for that matter - but *not* TCP/IP connections. Alas, that selectivity does not exist.

So we are left with two choices:

o use Remote_OS_Authent and work *really* hard to try to ensure a secure network...which is pretty much impossible when it comes to TCP/IP without addons such as encrypting network cards, Secure Network Services, or the like...

o turn off Remote_OS_Authent and start hardwiring passwords into those batch tasks that work across instances...which is hardly a good security move either.

Our current thinking is to at least start with two UserIds for each person: an Ops$... and a non-Ops$..., where the latter would be IDENTIFIED EXTERNALLY and, since its use would be protected by an OS logon that we've come to somewhat trust, the Ops$ accounts would tend to be allowed broader Oracle privileges.

-- 
Barry Johnson  -  BJohnson_at_WorldBank.Org  -  ph. (202)458-0585