Previous | Table of Contents | Next

Page 567

CHAPTER 23

Security Management

In this chapter

Page 568

User Authentication

Users must be identified and authenticated before they are allowed access to your database. Users will be identified by Oracle, but they can be authenticated in three different ways: database, external, or enterprise authentication.

Database Authentication

Database authentication is used when a user is created and a password is specified. This is a good approach for small user communities and when there are no additional security products available. The other types of authentication require the reserved word external to be used in place of the user password.

When a user is created, a password must be selected for the user. Applying rules on a user password is called password management, and a company should have guidelines for passwords. A strong password is one that is not easily guessed, is longer then five bytes, and is not a word found in the dictionary. If the password is in a dictionary, a computer vandal may be able to guess the password by using a "brute force attack." (A brute force attack is one in which a computer vandal uses a userid and writes a program to try different passwords that are generated from a dictionary.) A password also should expire after a certain length of time and not be reused by the same user.

Oracle now has the capability of providing password management when using database-level authentication. This is accomplished by setting parameters on a profile and assigning that profile to a user. A profile is a database entity that will specify resource limits, and when a profile is assigned to a user, it enforces those limits on the user. A profile can be created using the Enterprise Manager or SQL*Plus. The database must have resource limits turned on in order for the profile resource limits to take affect. You do this by setting the RESOURCE_LIMIT parameter in the init.ora file to TRUE. A profile can limit the number of sessions, the CPU usage per session, the number of CPU calls, the logical reads, the logical reads per call, idle time, and connect time. The profile can prevent computer vandals from utilizing all the resources from a computer in a denial-of-service attack.

The profile can now enforce password management rules, which are options that you may elect to be used:

Page 569

Using ORAPWDThe ORAPWD utility is executed at the command prompt of an operating system. Use the following steps:

  1. Create the password file using the ORAPWD utility
    ORAPWD FILE=filename PASSWORD=password ENTRIES=max_users
    

    where FILE= is the actual filename for the password file, PASSWORD= is the password that must be used to sign on to the database as a DBA, and ENTRIES= is the maximum number of users that can have the DBA privilege.

  2. Set the REMOTE_LOGIN_PASSWORDFILE initialization parameter to a valid value. This parameter has three valid values NONE, SHARED, and EXCLUSIVE. The NONE value causes Oracle to behave as if the password file does not exist; this is the default value. The EXCLUSIVE value will do the following:

Page 570

The SHARED value will allow a password file to be used by multiple databases. However, the only users recognized by a SHARED password file are SYS and INTERNAL, and you cannot add users to a SHARED password file.
  1. Users can be added to the password file by using the GRANT command to assign the database administration privilege to the appropriate user, as long as the password file is in EXCLUSIVE mode. The following are examples:
    GRANT SYSDBA TO jefferson

    GRANT SYSOPER TO smith

NOTE
Use the REVOKE command to remove users from the password file.n

Using SYSDBAThe privilege SYSDBA permits the user to perform the same operations as OSDBA. Likewise, the privilege SYSOPER permits the user to perform the same operations as OSOPER.

Privileged users should now be able to connect to the database by using a command similar to this:

CONNECT  jefferson/password@prddb.hq.com AS SYSDBA

The use of a password file does not prevent OS-authenticated users from connecting if they meet the criteria for OS authentication.

If you want to list password file members, the view V$PWFILE_USERS will show all users that have been granted SYSDBA and SYSOPER system privileges for a database.

External Authentication

External authentication relies on an operating system or network authentication service. This places control outside of Oracle for password management and user authentication, although Oracle will still identify the user. A database password is not required for this type of login. To use this option, set the parameter OS_AUTHENT_PREFIX in the database init.ora file. This will tell Oracle that any user that has the same prefix as this value is to be authenticated externally. For example, if the value is set to ops$ and you have two users, ops$jones and smith, Oracle will not require a password from ops$jones, but will require one from smith. This parameter can be set to any prefix you like and even can be set to a null string by specifying an empty set of double quotes. The init.ora parameter REMOTE_OS_AUTHENT must be set to true (the default is false) to enable Oracle to use the username from a nonsecure connection. This keeps a potential computer vandal from masquerading as a valid user.

Network authentication is accomplished with Oracle Advanced Networking Option (ANO) and can authenticate users with the following technologies:

Previous | Table of Contents | Next