Skip to Main Content

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question.

Asked: July 25, 2002 - 7:55 am UTC

Last updated: May 12, 2011 - 9:23 am UTC

Version: 8.1.7

Viewed 1000+ times

You Asked

Hello,

I have a user client on Windows NT 4/2K and DB server Oracle 8.1.7 on VMS platform. Is there a possibility to use trusted connection (user identified externally) from Windows NT/2K workstation without setting remote_os_auth=true?

Thanks,

R. Kazimir


and Tom said...

that would open a security hole the size of Texas (thats big).

All I would have to do is drop a windows machine on your network, create a user "system" or "sys" and I'm in

NEVER set remote_os_authent! Not unless you are in a 100% physically secured environment and can be sure no one will be attaching a machine to your network unless you want them to.

Rating

  (8 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

A reader, July 26, 2002 - 2:07 am UTC

I understood that setting remote_os_authent=true is security hole. But my question is other: if I have remote_os_authent=false, can I have users in DB identified externally and client on Windows NT/2K and DB server on other platform (VMS, AIX)?

Thanks,
R. Kazimir.

Tom Kyte
July 26, 2002 - 6:45 am UTC

No, you cannot, not as far as I know.

This applies in general?

anonymous, January 07, 2005 - 10:00 pm UTC

Tom.. does this apply if say I have a UNIX or LINUX box of any flavor on a network and have remote_os_auth=true, is there a risk of anyone plopping on a windows box and accomplishing the same thing? For some reason, our using this was suggested as a security SOLUTION, for allowing discover users to authenticate on a server or something.. not clear. I gave them your response.

Tom Kyte
January 08, 2005 - 4:42 pm UTC

yup. why not? my windows "box" runs linux just dandy (vmware) and my manager's macintosh would make this trivial too.

remote os authent is a totally risky situation

a question on this

Jeff, August 23, 2007 - 6:05 pm UTC

Tom,

You said:
<<that would open a security hole the size of Texas (thats big). All I would have to do is drop a windows machine on your network, create a user "system"
or "sys" and I'm in>>


Doesn't that presume that I've created an externally authenticated db account OPS$SYTEM or OPS$SYS? Just because this parameter is set doesn't mean anyone can get into a NON-externally authenticated account with the same name as an OS user, does it?

We are looking at setting up OPS$ accounts for users to be able to get in and do workbooks/ODBC type connections from their PCs to our unix rdbms. We have *no* externally authenticated admin-type accounts. Externally authenticated accounts would only have very limited privs ("Create session" and "select on specific objects)". Do we still have an exposure that I'm not seeing?

Tom Kyte
August 24, 2007 - 1:58 pm UTC

depends on what your remote OS AUTHENT PREFIX is set to.

and it would mean, that you could become any identified externally account, enter "texas" again.

you would still be exposed, you might just as well create accounts with a constant password.

Jeff, August 27, 2007 - 10:57 am UTC

<depends on what your remote OS AUTHENT PREFIX is set to.

Assuming it is not set to "", access to SYS and SYSTEM would not be available to any externally id'd user, correct?

I understand that there are other ramifications, but I want to be able to present this to management with the proper caveats.




Tom Kyte
September 04, 2007 - 11:55 am UTC

depends on what you have set up entirely.

the proper caveat should be "do not do this, it is a really bad idea"

there are external authentication methods available like kerberos and others - they are safe to use.

remote_os_auth

A reader, August 14, 2009 - 8:34 am UTC

Hi Tom,

Do you know of any Oracle utilities or applications (ie: OEM, sqldeveloper, apex, etc.) that require the setting of remote_os_auth=true?

Thanks,
Ben Alvey
Tom Kyte
August 24, 2009 - 7:46 am UTC

no, I do not

oracle 11

edgar, November 25, 2009 - 5:59 am UTC

I used remote_os_auth parameter as a workaround for a legacy application.<br/> It give me possibility to move the application avay from the database server machine (great save on Oracle licenses). <br/> To cover the security hole i created the on-logon trigger: <br/> create or replace trigger SYS.RESTRICT_IP_LOGON<br/>
after logon on database<br/>
declare<br/>
v_ip varchar2(15);<br/>
v_dbuser varchar2(30);<br/>
v_os_auth boolean;<br/>
begin<br/>
V_ip := SYS_CONTEXT('USERENV','IP_ADDRESS');<br/>
v_dbuser := SYS_CONTEXT('USERENV','SESSION_USER');<br/>

if SYS_CONTEXT('USERENV','AUTHENTICATION_TYPE') = 'OS'<br/>
then<br/>
v_os_auth:= true;<br/>
else<br/>
v_os_auth:= false;<br/>
end if;<br/>
--<br/>
----------- OS authentication is limited to datacenter IPs only! --------------<br/>
--<br/>
if V_ip is not null and v_os_auth then<br/>
if<br/>
V_ip not like '192.168.1.%' --<br/>
then<br/>
dbms_system.ksdwrt(2,'SYS.RESTRICT_IP_LOGON: attemp to login as '||v_dbuser||' detected from address'||V_ip||' !');<br/>
raise_application_error(-20001, 'Login as '||v_dbuser||' prohibited from this IP! This incident will be reported!');<br/>
end if;<br/>
end if;<br/>
end;<br/>
/<br/> <br/> And now i have to ugrade the database to the 11g ... <br/> But the remote_os_auth parameter is deprecated in 11. <br/>What should i do to keep the possibility to connect using slash from another machine?<br/>Does the Advanced Security Option provide that functionality?
Tom Kyte
November 25, 2009 - 3:21 pm UTC

what happens when someone drops their own laptop in here? that is all it would take. This is not secure.

anyway.

deprecated doesn't mean what you must think it does.

The REMOTE_OS_AUTHENT parameter is deprecated. It is retained for backward compatibility only.



If you have a legacy application - what is to say you can even use 11g? If you say "we'll fix things in the code if we need to for 11g", then you could point out that "you need to fix that so we can authenticate using something secure"


see
http://docs.oracle.com/docs/cd/E11882_01/server.112/e10595/create008.htm#ADMIN11133

that would be a way going forward.

Excellent

Ken, June 30, 2010 - 6:24 am UTC

Thank you for this thread. It just came in very handy.

Please update link

Ed, May 12, 2011 - 8:37 am UTC

The topic of this thread is exactly what I'm looking for, however the url points to a non-existing page. Would you please be able to provide a link to the appropriate 11g document.
Thanks in advance.