I think it is possible to use this mechanism only if Oracle is on a Windows platform. Am I right?
On Microsoft Windows, Kerberos is the authentication protocol generally leveraged to allow clients to connect to the Oracle database using OS credentials. To implement this, you need to add this line to your sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES=(NTS) Once that is accomplished, you can authorize external roles though the 'OS_ROLES' switch, which can be very handy but requires close cooperation between your DBAs and System Administrators for effective user management.
In Linux, local OS authentication is enabled by default, and is widely used for administration purposes. Remote authentication, on the other hand, is rarely used as it opens up a considerable vulnerability, and is very risky.
To set up Oracle remote authentication on Linux, you would need to set the REMOTE_OS_AUTHENT parameter to true, identify the user externally, and prefix the username with the OS_AUTHENT_PREFIX (which I believe may be why you are seeing that error). While you can mitigate some of the risk of implementing this through solid listener configuration and IP filtering, this type of remote authentication is something I strongly suggest avoiding.
If you definitely need to utilize this type of authentication, it is EXTREMELY important to NOT use the default OS_AUTHENT_PREFIX of OPS$. In most configurations, allowing remote authentication will allow ANY client able to connect to the database server to login as any user so long as the OS username matches the Oracle username.
Obtaining the 'keys to the kingdom' can be as easy as putting a Linux image, containing a user named 'SYSTEM', on a USB stick. Changing the OS_AUTHENT_PREFIX does reduce risk, but it is security though obscurity, which rarely deters the motivated.Have a question for Brian Fedorko? Send an e-mail to firstname.lastname@example.org
This was first published in December 2009