Wednesday, January 04, 2012

remote_os_authent

The Oracle RDBMS used to have a parameter called remote_os_authent. This specified whether or not you could connect to an instance remotely using OS authentication. Setting it to true was a security risk, especially if you used OS authentication for database users which had the DBA role. For example, you might have an externally identified user in your database called ORACLE and grant the DBA role to that user. A malicious user with admin rights on a remote machine could create a user called oracle on that machine and use it to connect to your database as an administrator without providing a password. In version 11, the Oracle RDBMS deprecated this parameter but have retained it (for now) for backward compatibility. The example below illustrates this. I ran it on a UNIX server as a UNIX user called oracle. First I connected to the database as SYS and set remote_os_authent to true in the server parameter file:
 
SQL> conn / as sysdba
Connected.
SQL> alter system set
  2  remote_os_authent = true
  3  scope = spfile
  4  /
 
System altered.
 
SQL>
 
Then I bounced the database. The Oracle RDBMS displayed an error message when it saw the deprecated parameter:
 
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORA-32004: obsolete and/or deprecated parameter(s) specified
ORACLE instance started.
 
Total System Global Area  158703616 bytes
Fixed Size                  2086736 bytes
Variable Size              83888304 bytes
Database Buffers           67108864 bytes
Redo Buffers                5619712 bytes
Database mounted.
Database opened.
SQL>
 
I reconnected to the database remotely and reset remote_os_authent in the server parameter file:
 
SQL> conn /@test11
Connected.
SQL> show user
USER is "ORACLE"
SQL> alter system reset remote_os_authent
  2  scope = spfile
  3  /
 
System altered.
 
SQL>
 
Then I bounced the database again. This time there was no error message:
 
SQL> conn / as sysdba
Connected.
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
 
Total System Global Area  158703616 bytes
Fixed Size                  2086736 bytes
Variable Size              88082608 bytes
Database Buffers           62914560 bytes
Redo Buffers                5619712 bytes
Database mounted.
Database opened.
SQL>
 
Changing the remote_os_authent parameter stopped the remote connection working:
 
SQL> conn /@test11
ERROR:
ORA-01017: invalid username/password; logon denied
 
Warning: You are no longer connected to ORACLE.
SQL>

No comments:

Post a Comment