How to enable remote Oracle OS authentication with OS_AUTHENT_PREFIX

Oracle expert Brian Fedorko explains how to enable remote Oracle OS authentication in Windows and Linux, including why you might receive the ORA-010145 error when trying to have an Oracle user identified externally.

I have an Oracle Database on Linux RH5.3. I am trying to have an Oracle user identified externally and os_roles=true working. I always receive the following error:

ORA-01045: user  lacks CREATE SESSION privilege; logon denied

I think it is possible to use this mechanism only if Oracle is on a Windows platform. Am I right?

With Oracle, you can enable authentication through operating system credentials in both Windows and Linux. When using OS authentication, keep in mind that your database can only be as secure as the underlying OS.

On Microsoft Windows, Kerberos is the authentication protocol generally leveraged to allow clients to connect to the Oracle database using OS credentials. To implement this, you need to add this line to your sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES=(NTS) Once that is accomplished, you can authorize external roles though the 'OS_ROLES' switch, which can be very handy but requires close cooperation between your DBAs and System Administrators for effective user management.

In Linux, local OS authentication is enabled by default, and is widely used for administration purposes. Remote authentication, on the other hand, is rarely used as it opens up a considerable vulnerability, and is very risky.

To set up Oracle remote authentication on Linux, you would need to set the REMOTE_OS_AUTHENT parameter to true, identify the user externally, and prefix the username with the OS_AUTHENT_PREFIX (which I believe may be why you are seeing that error). While you can mitigate some of the risk of implementing this through solid listener configuration and IP filtering, this type of remote authentication is something I strongly suggest avoiding.

If you definitely need to utilize this type of authentication, it is EXTREMELY important to NOT use the default OS_AUTHENT_PREFIX of OPS$. In most configurations, allowing remote authentication will allow ANY client able to connect to the database server to login as any user so long as the OS username matches the Oracle username.

Obtaining the 'keys to the kingdom' can be as easy as putting a Linux image, containing a user named 'SYSTEM', on a USB stick. Changing the OS_AUTHENT_PREFIX does reduce risk, but it is security though obscurity, which rarely deters the motivated.

Have a question for Brian Fedorko? Send an e-mail to [email protected]


Dig Deeper on Oracle database security