Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 







remote_os_authent tips

Oracle Database Tips by Donald BurlesonAugust 15, 2015

Question:  I'm considering using remote OS authentication but I hear that it can be risky.  Also, I hear that the remote_os_authent parameter has been deprecated in Oracle 11g.  What are the guidelines for using remote_os_authent?

Answer:  Yes, allowing the OS to control OS authentication can be very risky, but it's safe in a closed-in environment (no internet ports), and where the OS systems administrators understand how to lock-down their servers.  I've seen cases where remote shell (rsh) is enabled and a hacker gains access to one server, only to have rsh access to hundreds of other server, and full access to the Oracle instances on those servers. 

Formerly called ops$, remote OS authentication required careful planning, see my remote access best practices guidelines.

However, because of the high risks, and possibilities for an inexperienced DBA to inadvertently expose their database, the remote_os_authent parameter has been deprecated in Oracle 11g, and a safer method is used. 

Metalink note: 456001.1 for workarounds and details.
In 11g and beyond, the default has been changed for os_authent_prefix from ops$ to null, and os_authent_prefix should be set to null to prevent confusion.  Many novice DBA's don't understand that ops$fred is the same as an OS user named fred.

Also, see these important notes on OS authentication in 11g with the deprecation of remote_os_authent.

Remote OS authentication before Oracle 11g

If you are sure that your OS environment is secured, you can enable remote access by setting remote_os_authent=true, which means that Oracle will authenticate remote connections using the os_authent_prefix.  

This will allow remote users to connect to the Oracle database without supplying a password. See this page for complete details on enabling remote OS authentication on UNIX and Windows servers.

Understanding the security holes in external authentication

For an example of the security exposures with remote OS authentication, assume a database named DB1 is on a server named Server1 and the client machine is named PC1.  The DB1 database is defined to allow the "SCOTT" user external OS authentication:

alter system set remote_os_authent=true, scope=spfile;
alter system set remote_authent_prefix=ops$
create user ops$scott identified externally;
grant dba to ops$scott;

However, note that the user SCOTT is a PC user ID, and NOT an OS user on the database server.

However, when the user connects to the database without a user ID and password, his OS user ID (SCOTT) is used, and checked in the data dictionary

sqlplus /@db1

In this case, the connection is accepted if the remote_os_authent parameter is TRUE, otherwise it is rejected.

To disable this remote OS authentication feature, place the following lines in the iit.ora of spfile:

os_authent_prefix = ""
remote_os_authent = FALSE



Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster


Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.