Home » RDBMS Server » Security » Disabling OS Authentication - Ramifications
Disabling OS Authentication - Ramifications [message #261523] Wed, 22 August 2007 23:19 Go to next message
Spindrift
Messages: 2
Registered: August 2007
Junior Member
Hi All:

I have disabled OS Authentication with the following in the sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES=(NONE)

This disallows a successful connection via "sqlplus / as sysdba".
You must type the SYS password in to get a SYSDBA connection to the Database. This keeps the box's sysadmin out of the DBA acct since they won't know the password. Like any security measure, this has ramifications:

1. You can't have auto startup scripts (dbora) that automatically startup and stop the DB upon machine power cycles.

WORKAROUND: Create a user with SYSOPER but with no CREATE SESSION privilege. Store this username & password in a protected file on the OS for your shell script to pick up.

2. You can't do scripted Dataguard administration because it needs a SYSDBA connection. Unlike the option above, I'm not comfortable storing a SYSDBA privileged password on the OS. Then what's the point of disabling OS Authentication in the first place.

Can anyone come up with a solution to the second problem?

Thanks,
Spindrift
Re: Disabling OS Authentication - Ramifications [message #261593 is a reply to message #261523] Thu, 23 August 2007 01:54 Go to previous message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
This is not a solution to your problem but a couple of thoughts.

  • If you can't trust a sysadmin fire him
  • A sysadmin can always dump the file to get the data
  • A sysadmin can always kill a process and so stop the database
  • A sysadmin can always drop data files or corrupt data

I don't say that what you're trying to do is useless, on the contrary I encourage you to follow in this way but if you have some features that requires sys access (there is also RMAN in your list) don't bother too much to prevent from sysadmin access.

Otherwise there are tools on the market, even in freeware, that can store passwords and give them if you satisfy some conditions (os user, ip...).

Regards
Michel
Previous Topic: Protecting sensitive info from client to Oracle Server location
Next Topic: Urgent: Workstation identify
Goto Forum:
  


Current Time: Thu Mar 28 15:38:08 CDT 2024