Exploring Oracle November 2004 and REMOTE_OS_AUTHENT

  • From: Jared Still <jkstill@xxxxxxxxx>
  • To: Oracle-L Freelists <oracle-l@xxxxxxxxxxxxx>
  • Date: Fri, 5 Nov 2004 16:56:41 +0000

Dear List,

If you have received the latest issue of Exploring Oracle, you may have 
seen the 'tip' in the 'Tip Corner' on page 5.  

This 'tip' explains how you can avoid hardcoding passwords in scripts
by setting REMOTE_OS_AUTHENT = TRUE, and creating an externally
identified account.

This allows the account to login without a password from a machine
other than the database server.

If you are not using some form of  strong network authentication
( think Kerboros ) this is probably not a good idea.   Any user on
the network with administrative access to a PC could compromise
this database without too much effort.

See www.cybcon.com/~jkstill/remote_os_authent_exploit.doc
for an example.

If the server is a Windows machine, setting the parameter 
OSAUTH_PREFIX_DOMAIN=TRUE may make it somewhat more
secure, but I haven't tried it.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts:

  • » Exploring Oracle November 2004 and REMOTE_OS_AUTHENT