Re: Rumor Breaking

Daniel -

I'm pretty familiar with this gaping hole, but I don't believe for a second that there's anything that anyone can do to the listener.ora file to block access. Instead, a DBA should set REMOTE_OS_AUTHENT to FALSE in the init.ora file to turn off remote operating system authentication.

While I don't have any experience connecting to an Oracle database via the Mac or OS/2, I've demonstrated the lack of security when connecting from a Win95 or Win98 box. It's painfully easy to simply masquerade as another user and cause all sorts of havoc to someone else's Oracle account.

Connections from a WinNT or Win2000 box are just fine due to the logins that those operating systems require.

Is this what you had in mind?

Bye,
TG

Daniel Morgan wrote:

> I found the following text somewhere and saved it in the hope of
> figuring out something I didn't know.
>
> "Automatic logins by PC, Apple MacIntosh, and OS/2 users are not secure.
> Anyone can edit the Oracle configuration file and change their user ID.
> For security reasons, if users of these systems are logging in over the
> network, Oracle Corporation strongly recommends you disable the ops$
> logins in the listener.ora."
>
> Unfortunately, after diligent research, I can not find any referene to
> disabling externally authenticated accounts in listener.ora.
>
> Can someone please point me to a source document that explains the
> connection?
>
> Thanks.
>
> Daniel Morgan

--
=====================================================
Thomas Gaines
Professional Research Assistant / Senior DBA
CIRES, NGDC/NOAA
303.497.3798  (office)
303.912.1241  (cell)
thomas.gaines_at_noaa.gov
=====================================================