Re: OPS$

Sounds about right to me.

The security part, that is. :)

Jared

On Wednesday 30 January 2002 19:25, Seefelt, Beth wrote:
> I know I'm probably one of the few NT weenies on the list so I hope I don't
> get too much guff from the unix guys...
>
> Disabling remote_os_authent and using external authentication are not
> mutually exclusive, and its not completely devoid of security in NT.
>
> Consider this configuration
>
> remote_os_authent=false
> osauth_prefix_domain=true
>
> sqlnet.authentication_services=(nts)
>
> Now I can create externally authenticated database accounts, prefixed with
> the domain name instead of OPS$. When they connect to the database Oracle
> will authenticate them via Kerberos or NTLM, so their password doesn't even
> have to be passed over the network. And they are authenticated by the
> domain, so creating a rogue server and creating a user account with the
> same name still isn't going to get you authenticated, unless you can set
> the password on the rogue machine to the same password as the domain
> account.
>
> Or am I living in a rose colored dream world?
>
> Beth
>
>
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 5:55 PM
> To: Multiple recipients of list ORACLE-L
>
>
> Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so
> long as your authentication demands an OPS$ or basically any other non null
> string of characters, who cares? OPS$SYSTEM is not going to wind up being
> a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL,
> then you've got a problem.
>
> The long and short of it is that the OPS security is only as good as the
> box it is serving. If you're on any computer with C level security or
> higher, there is nothing wrong with using OPS$ as you are using operating
> system level security. So, if, for example, you are using VMS, MVS, CDC,
> Cray, or anything us old folks might have used 10 years ago, OPS$ is
> terrific. If your operating system is making Bill Gates richer, you have
> no security to speak of.
>
> The question you want to ask yourself is how good is your front-end
> security?
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 4:26 PM
> To: Multiple recipients of list ORACLE-L
>
> Can you explain that? You have me scared now.
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 4:00 PM
> To: Multiple recipients of list ORACLE-L
>
>
> They can also set their username to 'SYSTEM'.
>
> Jared
>
>
>
>
>
> Rachel Carmichael <wisernet100_at_yahoo.com>
> Sent by: root_at_fatcity.com
> 01/30/02 11:25 AM
> Please respond to ORACLE-L
>
>
> To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> cc:
> Subject: Re: OPS$
>
>
> anyone can name their pc "oracle" and then connect in if you set
> "remote_os_authent"
>
> --- "Smith, Ron L." <rlsmith_at_kmg.com> wrote:
> > Does anyone have any information on security problems using the OPS$
> > account?
> >
> > Ron
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > --
> > Author: Smith, Ron L.
> > INET: rlsmith_at_kmg.com
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing
> > Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
>
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions!
> http://auctions.yahoo.com

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).