Help - remote OS authentication.

Help - remote OS authentication.

Post by padmagod.. » Sat, 10 Feb 2001 04:10:01



 I need help with Remote OS authentication.   Oracle allows user from
any machine to log into the database if I had created the
user 'identified externally' and set the remote os authentication
parameter.  My question is 'Is it possible to restrict the user to log
into the database only if he is coming from certain hosts'?  To explain
the problem even  more,  I will give you a specific example :

I have an application server & a database server in 2 different unix
machines (My production boxes).  I have an unix user 'XXX' setup on my
application server.  I have setup an OPS$ a/c for this user on the
database.  I will be able to login to the database without a password
using application sever unix user id and password.  I want this feature
to be there.

What I don't want is that if I have the same user 'XXX' on my
development application server, I don't want him to be able to log into
my production database.  Is this possible in Oracle by setting up some
parameters in Listener.ora (Checking where the connection is coming
from...) or should I use 'Oracle Advanced Networking' option?

I would really appreciate any help.

Thanks
Padma

Sent via Deja.com
http://www.deja.com/

 
 
 

Help - remote OS authentication.

Post by Joe Kazimierczy » Sat, 10 Feb 2001 21:45:36


With 8i, you might check the client's hostname or ip address
in a logon trigger, then decide whether to let it pass, or
abort the logon.  (Never actually tried it myself, so I
offer no guarantee).

>  I need help with Remote OS authentication.   Oracle allows user from
> any machine to log into the database if I had created the
> user 'identified externally' and set the remote os authentication
> parameter.  My question is 'Is it possible to restrict the user to log
> into the database only if he is coming from certain hosts'?  To explain
> the problem even  more,  I will give you a specific example :

> I have an application server & a database server in 2 different unix
> machines (My production boxes).  I have an unix user 'XXX' setup on my
> application server.  I have setup an OPS$ a/c for this user on the
> database.  I will be able to login to the database without a password
> using application sever unix user id and password.  I want this feature
> to be there.

> What I don't want is that if I have the same user 'XXX' on my
> development application server, I don't want him to be able to log into
> my production database.  Is this possible in Oracle by setting up some
> parameters in Listener.ora (Checking where the connection is coming
> from...) or should I use 'Oracle Advanced Networking' option?

> I would really appreciate any help.

> Thanks
> Padma


 
 
 

Help - remote OS authentication.

Post by Mark D Powel » Sat, 10 Feb 2001 23:31:52




> With 8i, you might check the client's hostname or ip address
> in a logon trigger, then decide whether to let it pass, or
> abort the logon.  (Never actually tried it myself, so I
> offer no guarantee).


> >  I need help with Remote OS authentication.   Oracle allows user
from
> > any machine to log into the database if I had created the
> > user 'identified externally' and set the remote os authentication
> > parameter.  My question is 'Is it possible to restrict the user to
log
> > into the database only if he is coming from certain hosts'?  To
explain
> > the problem even  more,  I will give you a specific example :

> > I have an application server & a database server in 2 different unix
> > machines (My production boxes).  I have an unix user 'XXX' setup on
my
> > application server.  I have setup an OPS$ a/c for this user on the
> > database.  I will be able to login to the database without a
password
> > using application sever unix user id and password.  I want this
feature
> > to be there.

> > What I don't want is that if I have the same user 'XXX' on my
> > development application server, I don't want him to be able to log
into
> > my production database.  Is this possible in Oracle by setting up
some
> > parameters in Listener.ora (Checking where the connection is coming
> > from...) or should I use 'Oracle Advanced Networking' option?

> > I would really appreciate any help.

> > Thanks
> > Padma

Padma, Joe gave you the same solution I was going to suggest except I
was going to say to create a database signon trigger and check the
machine column of v$session.

Also I recommend setting the external logon prefix to null.  It both
shortens the userid column for reporting and makes for cleaner
reporting in queries and suditing.

The use of remote external logins without the use of a sigle sign-on
product creates a security whole in your system as anyone who has
control of their desktop, has Oracle client software, and knows the
network address and sid to your database can create a connection using
any valid external id that they obtain.  Creating a trigger that
restricts the access to specific machines (or network addresses) would
be a good feature to add.

--
Mark D. Powell  -- The only advice that counts is the advice that
 you follow so follow your own advice --

Sent via Deja.com
http://www.deja.com/

 
 
 

Help - remote OS authentication.

Post by Howard J. Roger » Sun, 11 Feb 2001 00:09:57



Quote:> I need help with Remote OS authentication.   Oracle allows user from
> any machine to log into the database if I had created the
> user 'identified externally' and set the remote os authentication
> parameter.  My question is 'Is it possible to restrict the user to log
> into the database only if he is coming from certain hosts'?  To explain
> the problem even  more,  I will give you a specific example :

> I have an application server & a database server in 2 different unix
> machines (My production boxes).  I have an unix user 'XXX' setup on my
> application server.  I have setup an OPS$ a/c for this user on the
> database.  I will be able to login to the database without a password
> using application sever unix user id and password.  I want this feature
> to be there.

> What I don't want is that if I have the same user 'XXX' on my
> development application server, I don't want him to be able to log into
> my production database.  Is this possible in Oracle by setting up some
> parameters in Listener.ora (Checking where the connection is coming
> from...) or should I use 'Oracle Advanced Networking' option?

> I would really appreciate any help.

Perfectly possible using fine-grained access -a feature of Oracle 8i only.

Regards
HJR

- Show quoted text -

Quote:> Thanks
> Padma

> Sent via Deja.com
> http://www.deja.com/

 
 
 

Help - remote OS authentication.

Post by Howard J. Roger » Sun, 11 Feb 2001 00:12:26


In 8i, there's precisly no need to go to all this hassle.  Fine-grained
access control -specifically, the use of SYS.CONTEXT allows you to check for
IP address, subnet mask and God knows what else to don the job within the
kernel.

Regards
HJR





> > With 8i, you might check the client's hostname or ip address
> > in a logon trigger, then decide whether to let it pass, or
> > abort the logon.  (Never actually tried it myself, so I
> > offer no guarantee).


> > >  I need help with Remote OS authentication.   Oracle allows user
> from
> > > any machine to log into the database if I had created the
> > > user 'identified externally' and set the remote os authentication
> > > parameter.  My question is 'Is it possible to restrict the user to
> log
> > > into the database only if he is coming from certain hosts'?  To
> explain
> > > the problem even  more,  I will give you a specific example :

> > > I have an application server & a database server in 2 different unix
> > > machines (My production boxes).  I have an unix user 'XXX' setup on
> my
> > > application server.  I have setup an OPS$ a/c for this user on the
> > > database.  I will be able to login to the database without a
> password
> > > using application sever unix user id and password.  I want this
> feature
> > > to be there.

> > > What I don't want is that if I have the same user 'XXX' on my
> > > development application server, I don't want him to be able to log
> into
> > > my production database.  Is this possible in Oracle by setting up
> some
> > > parameters in Listener.ora (Checking where the connection is coming
> > > from...) or should I use 'Oracle Advanced Networking' option?

> > > I would really appreciate any help.

> > > Thanks
> > > Padma
> Padma, Joe gave you the same solution I was going to suggest except I
> was going to say to create a database signon trigger and check the
> machine column of v$session.

> Also I recommend setting the external logon prefix to null.  It both
> shortens the userid column for reporting and makes for cleaner
> reporting in queries and suditing.

> The use of remote external logins without the use of a sigle sign-on
> product creates a security whole in your system as anyone who has
> control of their desktop, has Oracle client software, and knows the
> network address and sid to your database can create a connection using
> any valid external id that they obtain.  Creating a trigger that
> restricts the access to specific machines (or network addresses) would
> be a good feature to add.

> --
> Mark D. Powell  -- The only advice that counts is the advice that
>  you follow so follow your own advice --

> Sent via Deja.com
> http://www.deja.com/

 
 
 

Help - remote OS authentication.

Post by Joe Kazimierczy » Tue, 13 Feb 2001 21:43:16


Quote:> Padma, Joe gave you the same solution I was going to suggest except I
> was going to say to create a database signon trigger and check the
> machine column of v$session.

In addition to v$session.machine (v7 and v8), in version 8,
you can
"select SYS_CONTEXT('USERENV', 'IP_ADDRESS') from dual".
 
 
 

1. remote OS authentication?

If I set REMOTE_LOGIN_PASSWORDFILE to NONE, I can get the OS
Authentication and logon LOCALLY on server as "connect / as sysdba" as
long as I am in oracle dba group.  Can I do the same thing remotely

from other server?

I know that if I set the password file with REMOTE_LOGIN_PASSWORDFILE

don't want to specify username/password as I am implementing some
remote scripts and I don't want to put username/password in the
script.

I am using Oracle 8.1.7EE on Sun Solaris 2.7

Thanks,
ewong

2. US:Ca:Glendale:PROGRESS Prgmers Needed

3. HELP!!! OS Authentication and (sqlplus /) on NT

4. Sort by indexed field in ORDER BY. Why so slow? (Oracle8)

5. OS level authentication with JDBC

6. InterBase CHAR to SQL 7 VARCHAR

7. SYSDBA & SYSOPER and os authentication through OEM

8. Help wanted on DLL used as SQL Server xp

9. OS Authentication

10. OS authentication with Oracle8i on Windows 2000 Professional

11. Oracle9i/ODBC/stored procs/OS authentication/ref cursor problem

12. OS Password authentication