Oracle's Remote_os_authent initialization parameters

Initialization parameter remote_os_authent is used to control whether remote operating system authentication is allowed.

By default, the database runs only the operating system validation on the local server:

Sql> SELECT * from Global_name;

Global_name

------------------------------------------------------------------------------------

Testrac

Sql> SELECT * from V$version;

BANNER

----------------------------------------------------------------

Oracle database10genterpriseedition Release10.2.0.4.0-64bi

Pl/sql Release 10.2.0.4.0-production

CORE 10.2.0.4.0 Production

TNS for Solaris:version 10.2.0.4.0-production

Nlsrtl Version 10.2.0.4.0-production

Sql> Show PARAMETER Os_auth

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

Os_authent_prefix string ops$

This column more highlights: http://www.bianceng.cn/database/Oracle/

Remote_os_authent Boolean FALSE

Sql> CREATE USER ops$oracle identified externally;

User has created.

Sql> GRANT CONNECT to Ops$oracle;

The authorization was successful.

Sql> HOST

$ sqlplus/

Sql*plus:release10.2.0.4.0-production on Friday September 17 00:13:25 2010

Copyright (c) 1982, 2007, Oracle. All Rights Reserved.

Connect to:

Oracle database10genterprise Edition release10.2.0.4.0-64bit Production

With the partitioning, real application clusters, OLAP, Data Mining

and real Application testing options

Sql> Show USER

User is "Ops$oracle"

Once the ops$oracle user is established, the operating system authentication method can be logged locally, but the remote server cannot log on using the same method:

[Oracle@bjtest ~]$ Sqlplus/nolog

sql*plus:release11.2.0.1.0 Production on Friday September 17 08:53:57 2010

Copyright (c) 1982, 2009, Oracle. All rights reserved.

sql> SET sqlp ' sql112> '

Sql112>conn/@172.25.198.223/testrac

ERROR:

Ora-01017:invalid Username/password; Logon denied

If you modify the Remote_os_authent parameter:

Sql> EXIT

From Oracle database10genterprise Edition release10.2.0.4.0-64bit Production

With the partitioning, real application clusters, OLAP, Data Mining

and real application testing options disconnected

$ exit

sql> ALTER SYSTEM SET remote_os_authent = TRUE SCOPE = SPFILE;

The system has changed.

Sql> SHUTDOWN IMMEDIATE

The database has been closed.

The database has been unloaded.

The Oracle routine has been closed.

Sql> STARTUP

The Oracle routine has started.

Total System Global area 1258291200 bytes

Fixed Size 2040280 bytes

Variable Size 318774824 bytes

Database buffers 922746880 bytes

Redo buffers 14729216 bytes

Database loading complete.

The database is already open.

Use the remote server again to try the operating system verification login:

Sql112> CONN/@172.25.198.223/testrac

is connected.

Sql112> SELECT * from Global_name;

Global_name

--------------------------------------------------------------------------------

Testrac

Sql112> HOST ID

uid=500 (Oracle) gid=500 (oinstall) groups=500 (Oinstall), 501 (DBA)

What needs to be explained is, this parameter opens, has the very big security hidden trouble, as long as the remote server creates the user according to the external user which exists in the database, may log in to the database, therefore does not suggest to open this parameter unless necessary.