WebApp Sec mailing list archives
Re: Oracle External Users
From: bug () pehlwaan demon nl
Date: Tue, 06 Dec 2005 10:24:32 +0100
to login using external authentication try: sqlplus / at the command prompt - same for windows and unix. For this to work: 1) login to your OS where your OS account name must match a database account name (here I assume database initialization parameter OS_AUTHENT_PREFIX is null) 2) in the case of a database local to your server you must have ORACLE_SID set in your environment to the SID of the database 3) in the case of a remote database you must have TWO_TASK set in yourenvironment to the SID of the database - in this case your sqlnet setup must be
able to resolve TWO_TASK to a particular server and port This won't work for ODBC and as long as you OS user matches the database user there is no further security check.Of course there are other checks and restrictions you can activate (particularly
in your sqlnet config) but with a default installation external authentication is pretty lax. Ahmed Quoting Damien Lewis <dwlewis () comcast net>:
Hello, I'm in the process of reviewing a list of users (DBA_USERS table) from an Oracle Database and have come across several accounts with the PASSWORD field being "EXTERNAL". It is my understanding that these accounts are authenticated by the operating system, but how exactly do you go about authenticating using this account (i.e. could I conect via SQL Plus or an ODBC connection) and is there any other control(s) within Oracle that would prevent any user from creating a user id that matches the account name in DBA_USERS table on another computer and logging in as that user to the Oracle database? Thanks D
Current thread:
- Oracle External Users Damien Lewis (Dec 05)
- Re: Oracle External Users bug (Dec 06)
- <Possible follow-ups>
- RE: Oracle External Users Amichai Shulman (Dec 06)