General
cancel
Showing results for 
Search instead for 
Did you mean: 

Pros and Cons for using Oracle OS authentication !

Chris Fung
Frequent Advisor

Pros and Cons for using Oracle OS authentication !

Hi there,

I am thinking to implement the OS authentication in our Oracle 8.1.7 database so as to minimize the effort for maintaining sql scripts with password hardcoded.

Any idea on the pros and cons for this approach ?

Any constraints and other issues may araise (e.g. security).

Appreciated for your advice.

Cheers,

Chris
6 REPLIES
Karthik S S
Honored Contributor

Re: Pros and Cons for using Oracle OS authentication !

This link might help you,

http://dbforums.com/arch/4/2002/4/340338

-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
Steven E. Protter
Exalted Contributor

Re: Pros and Cons for using Oracle OS authentication !

Long term thats where we want to go,for the same reasons you do.

If your system is trusted and enforces password rules, its a good thing to do.

Long term, we hope to authenticate with LDAP so the network login grants privledges even within our oracle applications.

If OS security is bad though, oracle security is worse. It requires vigilance.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Sanjay Kumar Suri
Honored Contributor

Re: Pros and Cons for using Oracle OS authentication !

Some of the advantages of Operating System Authentication:
1. Works well with users that are familiar with UNIX.
2. Login is easy in UNIX by using the forward slash "/".
3. Users do not have to remember their UNIX operating system login and password and their Oracle login and password.

Some of the disadvantages of Operating System Authentication;

1. The hosts machine command prompt has to be made available for users to connect to the UNIX operating system and to the Oracle
database. In production environments for applications this may be difficult to manage.

2. In a development environment Operating System Authentication may be fine requiring the host machine command prompt to connect to the Oracle 9i database.

Refer following link as well:

http://www.dougwentz.com/ReviewOracle9iDatabaseAdminI/UserAuthentication.pdf

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
Yogeeraj_1
Honored Contributor

Re: Pros and Cons for using Oracle OS authentication !

hi,

to add to the above replies..

I would adopt another option which is to write the batch applications in PLSQL or Java and have them run as jobs in the database directly. You would log in as the user who should run the batches and use DBMS_JOB to run these processes on a recurring basis.

Since they run IN the database, BY the database -- there is no authentication taking place at runtime -- we use the user of the person who submitted the job in the first place when we goto run these jobs. This would be by far the most secure and failsafe - the jobs will only run if and when the database is
available and there are NO authentication worries....

Hope this helps too!

regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Volker Borowski
Honored Contributor

Re: Pros and Cons for using Oracle OS authentication !

Hi,

as far as I know, the "identified externaly" is rather insecure. Check here
http://www.orafaq.com/faqdbase.htm
and search OPS$.

Just click in any linux notebook to a network where you expect a database to be found. Create user on notebook as needed and set up tnsnames.ora !
sqlplus to the database with an external identified user and you will be in.

Volker

Brian Crabtree
Honored Contributor

Re: Pros and Cons for using Oracle OS authentication !

Volker,

This is only if you set REMOTE_OS_AUTHENT=TRUE, which allows the remote system to define the authenication of a user. This is a known security problem, but not a bug or hole since it is sometimes required by applications.

Chris,

We use the an OS authenticated user for all of our monitoring scripts as well. The only other way is to hardcode a known password on the system, which is much worse than using os authentication.

Thanks,

Brian