| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: OPS$
I know I'm probably one of the few NT weenies on the list so I hope I don't get too much guff from the unix guys...
Disabling remote_os_authent and using external authentication are not mutually exclusive, and its not completely devoid of security in NT.
Consider this configuration
remote_os_authent=false
osauth_prefix_domain=true
sqlnet.authentication_services=(nts)
Now I can create externally authenticated database accounts, prefixed with the domain name instead of OPS$. When they connect to the database Oracle will authenticate them via Kerberos or NTLM, so their password doesn't even have to be passed over the network. And they are authenticated by the domain, so creating a rogue server and creating a user account with the same name still isn't going to get you authenticated, unless you can set the password on the rogue machine to the same password as the domain account.
Or am I living in a rose colored dream world?
Beth
-----Original Message-----
Sent: Wednesday, January 30, 2002 5:55 PM
To: Multiple recipients of list ORACLE-L
Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem.
The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of.
The question you want to ask yourself is how good is your front-end security?
-----Original Message-----
Sent: Wednesday, January 30, 2002 4:26 PM
To: Multiple recipients of list ORACLE-L
Can you explain that? You have me scared now.
-----Original Message-----
Sent: Wednesday, January 30, 2002 4:00 PM
To: Multiple recipients of list ORACLE-L
They can also set their username to 'SYSTEM'.
Jared
Rachel Carmichael <wisernet100_at_yahoo.com>
Sent by: root_at_fatcity.com
01/30/02 11:25 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
cc:
Subject: Re: OPS$
anyone can name their pc "oracle" and then connect in if you set "remote_os_authent"
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: wisernet100_at_yahoo.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: Jared.Still_at_radisys.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: rlsmith_at_kmg.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bellows, Bambi INET: BBellows_at_usg.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Seefelt, Beth INET: Beth.Seefelt_at_TetleyUSA.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Wed Jan 30 2002 - 21:36:26 CST
 |
 |