I don't think you are living in a dream world... the key parameter you set (that ensures the security) is
remote_os_authent=false If you set that false in Unix, you can do basically the same thing you are doing in NT, and you can only log in using external authentication if you are actually logged onto the machine that the database is on. --- "Seefelt, Beth" <[EMAIL PROTECTED]> wrote: > > I know I'm probably one of the few NT weenies on the list so I hope I > don't get too much guff from the unix guys... > > Disabling remote_os_authent and using external authentication are not > mutually exclusive, and its not completely devoid of security in NT. > > Consider this configuration > > remote_os_authent=false > osauth_prefix_domain=true > > sqlnet.authentication_services=(nts) > > Now I can create externally authenticated database accounts, prefixed > with the domain name instead of OPS$. When they connect to the > database Oracle will authenticate them via Kerberos or NTLM, so their > password doesn't even have to be passed over the network. And they > are authenticated by the domain, so creating a rogue server and > creating a user account with the same name still isn't going to get > you authenticated, unless you can set the password on the rogue > machine to the same password as the domain account. > > Or am I living in a rose colored dream world? > > Beth > > > > -----Original Message----- > Sent: Wednesday, January 30, 2002 5:55 PM > To: Multiple recipients of list ORACLE-L > > > Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, > and so > long as your authentication demands an OPS$ or basically any other > non null > string of characters, who cares? OPS$SYSTEM is not going to wind up > being a > DBA... now, if OPS$STILL is a DBA, and someone sets their PC to > STILL, then > you've got a problem. > > The long and short of it is that the OPS security is only as good as > the box > it is serving. If you're on any computer with C level security or > higher, > there is nothing wrong with using OPS$ as you are using operating > system > level security. So, if, for example, you are using VMS, MVS, CDC, > Cray, or > anything us old folks might have used 10 years ago, OPS$ is terrific. > If > your operating system is making Bill Gates richer, you have no > security to > speak of. > > The question you want to ask yourself is how good is your front-end > security? > > -----Original Message----- > Sent: Wednesday, January 30, 2002 4:26 PM > To: Multiple recipients of list ORACLE-L > > Can you explain that? You have me scared now. > > -----Original Message----- > Sent: Wednesday, January 30, 2002 4:00 PM > To: Multiple recipients of list ORACLE-L > > > They can also set their username to 'SYSTEM'. > > Jared > > > > > > Rachel Carmichael <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 01/30/02 11:25 AM > Please respond to ORACLE-L > > > To: Multiple recipients of list ORACLE-L > <[EMAIL PROTECTED]> > cc: > Subject: Re: OPS$ > > > anyone can name their pc "oracle" and then connect in if you set > "remote_os_authent" > > > --- "Smith, Ron L." <[EMAIL PROTECTED]> wrote: > > Does anyone have any information on security problems using the > OPS$ > > account? > > > > Ron > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > -- > > Author: Smith, Ron L. > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > San Diego, California -- Public Internet access / Mailing > > Lists > > > -------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like > subscribing). > > > __________________________________________________ > Do You Yahoo!? > Great stuff seeking new owners in Yahoo! Auctions! > http://auctions.yahoo.com > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Rachel Carmichael > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Smith, Ron L. > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Bellows, Bambi > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Seefelt, Beth > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > === message truncated === __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
