By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
I think it is possible to use this mechanism only if Oracle is on a Windows platform. Am I right?
On Microsoft Windows, Kerberos is the authentication protocol generally leveraged to allow clients to connect to the Oracle database using OS credentials. To implement this, you need to add this line to your sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES=(NTS) Once that is accomplished, you can authorize external roles though the 'OS_ROLES' switch, which can be very handy but requires close cooperation between your DBAs and System Administrators for effective user management.
In Linux, local OS authentication is enabled by default, and is widely used for administration purposes. Remote authentication, on the other hand, is rarely used as it opens up a considerable vulnerability, and is very risky.
To set up Oracle remote authentication on Linux, you would need to set the REMOTE_OS_AUTHENT parameter to true, identify the user externally, and prefix the username with the OS_AUTHENT_PREFIX (which I believe may be why you are seeing that error). While you can mitigate some of the risk of implementing this through solid listener configuration and IP filtering, this type of remote authentication is something I strongly suggest avoiding.
If you definitely need to utilize this type of authentication, it is EXTREMELY important to NOT use the default OS_AUTHENT_PREFIX of OPS$. In most configurations, allowing remote authentication will allow ANY client able to connect to the database server to login as any user so long as the OS username matches the Oracle username.
Obtaining the 'keys to the kingdom' can be as easy as putting a Linux image, containing a user named 'SYSTEM', on a USB stick. Changing the OS_AUTHENT_PREFIX does reduce risk, but it is security though obscurity, which rarely deters the motivated.Have a question for Brian Fedorko? Send an e-mail to email@example.com
Related Q&A from Brian Fedorko
A reader asks a question about the GRANT OPTION as it relates to object privileges in Oracle database security.continue reading
Interested in using fingerprint scanning in Oracle 9i? Learn about Oracle 9i security and how it works with a biometric scanner in this tip from ...continue reading
Oracle security expert Brian Fedorko explains how to perform Oracle password encryption and Oracle password hashing with the DBMS_CRYPTO package in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.