A reader, July 26, 2002 - 2:07 am UTC
I understood that setting remote_os_authent=true is security hole. But my question is other: if I have remote_os_authent=false, can I have users in DB identified externally and client on Windows NT/2K and DB server on other platform (VMS, AIX)?
Thanks,
R. Kazimir.
July 26, 2002 - 6:45 am UTC
No, you cannot, not as far as I know.
This applies in general?
anonymous, January 07, 2005 - 10:00 pm UTC
Tom.. does this apply if say I have a UNIX or LINUX box of any flavor on a network and have remote_os_auth=true, is there a risk of anyone plopping on a windows box and accomplishing the same thing? For some reason, our using this was suggested as a security SOLUTION, for allowing discover users to authenticate on a server or something.. not clear. I gave them your response.
January 08, 2005 - 4:42 pm UTC
yup. why not? my windows "box" runs linux just dandy (vmware) and my manager's macintosh would make this trivial too.
remote os authent is a totally risky situation
a question on this
Jeff, August 23, 2007 - 6:05 pm UTC
Tom,
You said:
<<that would open a security hole the size of Texas (thats big). All I would have to do is drop a windows machine on your network, create a user "system"
or "sys" and I'm in>>
Doesn't that presume that I've created an externally authenticated db account OPS$SYTEM or OPS$SYS? Just because this parameter is set doesn't mean anyone can get into a NON-externally authenticated account with the same name as an OS user, does it?
We are looking at setting up OPS$ accounts for users to be able to get in and do workbooks/ODBC type connections from their PCs to our unix rdbms. We have *no* externally authenticated admin-type accounts. Externally authenticated accounts would only have very limited privs ("Create session" and "select on specific objects)". Do we still have an exposure that I'm not seeing?
August 24, 2007 - 1:58 pm UTC
depends on what your remote OS AUTHENT PREFIX is set to.
and it would mean, that you could become any identified externally account, enter "texas" again.
you would still be exposed, you might just as well create accounts with a constant password.
Jeff, August 27, 2007 - 10:57 am UTC
<depends on what your remote OS AUTHENT PREFIX is set to.
Assuming it is not set to "", access to SYS and SYSTEM would not be available to any externally id'd user, correct?
I understand that there are other ramifications, but I want to be able to present this to management with the proper caveats.
September 04, 2007 - 11:55 am UTC
depends on what you have set up entirely.
the proper caveat should be "do not do this, it is a really bad idea"
there are external authentication methods available like kerberos and others - they are safe to use.
remote_os_auth
A reader, August 14, 2009 - 8:34 am UTC
Hi Tom,
Do you know of any Oracle utilities or applications (ie: OEM, sqldeveloper, apex, etc.) that require the setting of remote_os_auth=true?
Thanks,
Ben Alvey
August 24, 2009 - 7:46 am UTC
no, I do not
oracle 11
edgar, November 25, 2009 - 5:59 am UTC
I used remote_os_auth parameter as a workaround for a legacy application.<br/> It give me possibility to move the application avay from the database server machine (great save on Oracle licenses). <br/> To cover the security hole i created the on-logon trigger: <br/> create or replace trigger SYS.RESTRICT_IP_LOGON<br/>
after logon on database<br/>
declare<br/>
v_ip varchar2(15);<br/>
v_dbuser varchar2(30);<br/>
v_os_auth boolean;<br/>
begin<br/>
V_ip := SYS_CONTEXT('USERENV','IP_ADDRESS');<br/>
v_dbuser := SYS_CONTEXT('USERENV','SESSION_USER');<br/>
if SYS_CONTEXT('USERENV','AUTHENTICATION_TYPE') = 'OS'<br/>
then<br/>
v_os_auth:= true;<br/>
else<br/>
v_os_auth:= false;<br/>
end if;<br/>
--<br/>
----------- OS authentication is limited to datacenter IPs only! --------------<br/>
--<br/>
if V_ip is not null and v_os_auth then<br/>
if<br/>
V_ip not like '192.168.1.%' --<br/>
then<br/>
dbms_system.ksdwrt(2,'SYS.RESTRICT_IP_LOGON: attemp to login as '||v_dbuser||' detected from address'||V_ip||' !');<br/>
raise_application_error(-20001, 'Login as '||v_dbuser||' prohibited from this IP! This incident will be reported!');<br/>
end if;<br/>
end if;<br/>
end;<br/>
/<br/> <br/> And now i have to ugrade the database to the 11g ... <br/> But the remote_os_auth parameter is deprecated in 11. <br/>What should i do to keep the possibility to connect using slash from another machine?<br/>Does the Advanced Security Option provide that functionality?
November 25, 2009 - 3:21 pm UTC
what happens when someone drops their own laptop in here? that is all it would take. This is not secure.
anyway.
deprecated doesn't mean what you must think it does.
The REMOTE_OS_AUTHENT parameter is deprecated. It is retained for backward compatibility only.If you have a legacy application - what is to say you can even use 11g? If you say "we'll fix things in the code if we need to for 11g", then you could point out that "you need to fix that so we can authenticate using something secure"
see
http://docs.oracle.com/docs/cd/E11882_01/server.112/e10595/create008.htm#ADMIN11133 that would be a way going forward.
Excellent
Ken, June 30, 2010 - 6:24 am UTC
Thank you for this thread. It just came in very handy.
Please update link
Ed, May 12, 2011 - 8:37 am UTC
The topic of this thread is exactly what I'm looking for, however the url points to a non-existing page. Would you please be able to provide a link to the appropriate 11g document.
Thanks in advance.
May 12, 2011 - 9:23 am UTC