| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows
Hi Arup,
At 21:59 21/06/2003 -0800, you wrote:
<Snip>...
>An OS user called scott will be able to connect as the database user
>OPS$SCOTT, not SCOTT - a big difference. This is why the os_authent_prefix
>parameter is so important to set; don't leave it as null. If it is null,
>then the OS user scott can connect to database user scott.
>
Maybe I miss the obvious..
Considering remote_os_authent=false, why for LOCAL connections
os_authent_prefix='' is inherently less secure than os_authent_prefix=OPS$
or whatever string you choose.
In each case, the prerequisite is to create the user "identified externally"
(that's where you MUST be cautious)
But if scott is created with a password (i.e create user scott identified
by tiger)
then no OS user scott can log on whatever the os_authent_prefix is.
At least that's how I understand the feature.
Can you please elaborate on the security issue ?
>> Any ideas how to restrict the externally identified users so that they
>> have to log in to the database server to access their oracle schemas.?
>
>Well, they are mutually exclusive. A user is authenticated by either the
>database or externally, not both. So if you create user scott identified
>externally, you are allowing him to bypass database authentication. If you
>don't want that, then you would create user SCOTT identified by a password.
>
In fact if os_authent_prefix=OPS$ and ONLY in this case,
you can still do this (it's inherited from V6 days but still working
with Oracle 9i R2) :
create user ops$arup identified by nanda;
grant create session to ops$arup;
And know you can either connect with
sqlplus /
or
sqlplus /nolog
connect ops$arup/nanda
or
sqlplus /nolog
connect ops$arup
password : nanda
Although it doesn't work directly from the command line
like sqlplus ops$arup/nanda
or sqlplus ops$arup
password : nanda
(But works again after you get
Enter username for a 2nd try)
Regards
Gilles Parc
carpe diem !!
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Gilles PARC INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Jun 24 2003 - 15:41:43 CDT
 |
 |