Initialization parameter remote_os_authent is used to control whether remote operating system authentication is allowed.
By default, the database runs only the operating system validation on the local server:
Sql> SELECT * from Global_name;
Global_name
------------------------------------------------------------------------------------
Testrac
Sql> SELECT * from V$version;
BANNER
----------------------------------------------------------------
Oracle database10genterpriseedition Release10.2.0.4.0-64bi
Pl/sql Release 10.2.0.4.0-production
CORE 10.2.0.4.0 Production
TNS for Solaris:version 10.2.0.4.0-production
Nlsrtl Version 10.2.0.4.0-production
Sql> Show PARAMETER Os_auth
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
Os_authent_prefix string ops$
This column more highlights: http://www.bianceng.cn/database/Oracle/
Remote_os_authent Boolean FALSE
Sql> CREATE USER ops$oracle identified externally;
User has created.
Sql> GRANT CONNECT to Ops$oracle;
The authorization was successful.
Sql> HOST
$ sqlplus/
Sql*plus:release10.2.0.4.0-production on Friday September 17 00:13:25 2010
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connect to:
Oracle database10genterprise Edition release10.2.0.4.0-64bit Production
With the partitioning, real application clusters, OLAP, Data Mining
and real Application testing options
Sql> Show USER
User is "Ops$oracle"
Once the ops$oracle user is established, the operating system authentication method can be logged locally, but the remote server cannot log on using the same method:
[Oracle@bjtest ~]$ Sqlplus/nolog
sql*plus:release11.2.0.1.0 Production on Friday September 17 08:53:57 2010
Copyright (c) 1982, 2009, Oracle. All rights reserved.
sql> SET sqlp ' sql112> '
Sql112>conn/@172.25.198.223/testrac
ERROR:
Ora-01017:invalid Username/password; Logon denied
If you modify the Remote_os_authent parameter:
Sql> EXIT
From Oracle database10genterprise Edition release10.2.0.4.0-64bit Production
With the partitioning, real application clusters, OLAP, Data Mining
and real application testing options disconnected
$ exit
sql> ALTER SYSTEM SET remote_os_authent = TRUE SCOPE = SPFILE;
The system has changed.
Sql> SHUTDOWN IMMEDIATE
The database has been closed.
The database has been unloaded.
The Oracle routine has been closed.
Sql> STARTUP
The Oracle routine has started.
Total System Global area 1258291200 bytes
Fixed Size 2040280 bytes
Variable Size 318774824 bytes
Database buffers 922746880 bytes
Redo buffers 14729216 bytes
Database loading complete.
The database is already open.
Use the remote server again to try the operating system verification login:
Sql112> CONN/@172.25.198.223/testrac
is connected.
Sql112> SELECT * from Global_name;
Global_name
--------------------------------------------------------------------------------
Testrac
Sql112> HOST ID
uid=500 (Oracle) gid=500 (oinstall) groups=500 (Oinstall), 501 (DBA)
What needs to be explained is, this parameter opens, has the very big security hidden trouble, as long as the remote server creates the user according to the external user which exists in the database, may log in to the database, therefore does not suggest to open this parameter unless necessary.