I have an Oracle Database 10.2.0.4 on Linux RH5.3. I am trying to have an Oracle user identified externally and os_roles=true working. I always receive the following error:

ORA-01045: user  lacks CREATE SESSION privilege; logon denied

I think it is possible to use this mechanism only if Oracle is on a Windows platform. Am I right?

    Requires Free Membership to View

With Oracle, you can enable authentication through operating system credentials in both Windows and Linux. When using OS authentication, keep in mind that your database can only be as secure as the underlying OS.

On Microsoft Windows, Kerberos is the authentication protocol generally leveraged to allow clients to connect to the Oracle database using OS credentials. To implement this, you need to add this line to your sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES=(NTS) Once that is accomplished, you can authorize external roles though the 'OS_ROLES' switch, which can be very handy but requires close cooperation between your DBAs and System Administrators for effective user management.

In Linux, local OS authentication is enabled by default, and is widely used for administration purposes. Remote authentication, on the other hand, is rarely used as it opens up a considerable vulnerability, and is very risky.

To set up Oracle remote authentication on Linux, you would need to set the REMOTE_OS_AUTHENT parameter to true, identify the user externally, and prefix the username with the OS_AUTHENT_PREFIX (which I believe may be why you are seeing that error). While you can mitigate some of the risk of implementing this through solid listener configuration and IP filtering, this type of remote authentication is something I strongly suggest avoiding.

If you definitely need to utilize this type of authentication, it is EXTREMELY important to NOT use the default OS_AUTHENT_PREFIX of OPS$. In most configurations, allowing remote authentication will allow ANY client able to connect to the database server to login as any user so long as the OS username matches the Oracle username.

Obtaining the 'keys to the kingdom' can be as easy as putting a Linux image, containing a user named 'SYSTEM', on a USB stick. Changing the OS_AUTHENT_PREFIX does reduce risk, but it is security though obscurity, which rarely deters the motivated.

Have a question for Brian Fedorko? Send an e-mail to editor@searchoracle.com

 

This was first published in December 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: