Question: I'm considering using remote
OS authentication but I hear that it can be risky. Also, I hear that
the remote_os_authent parameter has been deprecated in Oracle 11g.
What are the guidelines for using remote_os_authent?
Answer: Yes, allowing the OS to control OS
authentication can be very risky, but it's safe in a closed-in environment
(no internet ports), and where the OS systems administrators understand how
to lock-down their servers. I've seen cases where remote shell (rsh)
is enabled and a hacker gains access to one server, only to have rsh access
to hundreds of other server, and full access to the Oracle instances on
those servers.
Formerly called ops$, remote OS authentication required
careful planning, see my
remote
access best practices guidelines.
However, because of the high
risks, and possibilities for an inexperienced DBA to inadvertently expose
their database, the remote_os_authent parameter
has been deprecated in Oracle 11g, and a safer method is used.
See Metalink note: 456001.1 for workarounds
and details.
In 11g and beyond, the default has been changed
for os_authent_prefix from ops$ to null, and
os_authent_prefix should be set to null to prevent confusion.
Many novice DBA's don't understand that ops$fred is the same as an
OS user named fred.
Also, see these important
notes on
OS authentication in 11g with the deprecation of remote_os_authent.
Remote OS authentication before Oracle 11g
If you are sure that your OS environment is secured,
you can enable remote access by setting remote_os_authent=true,
which means that Oracle will authenticate remote connections using the
os_authent_prefix.
This will allow remote users to connect to the Oracle
database without supplying a password. See
this page for complete details on enabling remote OS authentication on
UNIX and Windows servers.
Understanding the security holes in external
authentication
For an example of the security exposures with remote OS
authentication, assume a database named DB1 is on a server named Server1 and
the client machine is named PC1. The DB1 database is defined to allow
the "SCOTT" user external OS authentication:
alter system set remote_os_authent=true,
scope=spfile;
alter system set
remote_authent_prefix=ops$
create user ops$scott identified externally;
grant dba to
ops$scott;
However, note that the user SCOTT is a PC user ID, and
NOT an OS user on the database server.
However, when the user connects to the database
without a user ID and password, his OS user ID (SCOTT) is used, and checked
in the data dictionary
sqlplus /@db1
In this case, the connection is accepted if the
remote_os_authent parameter is TRUE, otherwise it is rejected.
To disable this remote OS authentication feature, place
the following lines in the iit.ora of spfile:
os_authent_prefix =
""
remote_os_authent = FALSE