Page 567
In this chapter
Page 568
Users must be identified and authenticated before they are allowed access to your database. Users will be identified by Oracle, but they can be authenticated in three different ways: database, external, or enterprise authentication.
Database authentication is used when a user is created and a password is specified. This is a good approach for small user communities and when there are no additional security products available. The other types of authentication require the reserved word external to be used in place of the user password.
When a user is created, a password must be selected for the user. Applying rules on a user password is called password management, and a company should have guidelines for passwords. A strong password is one that is not easily guessed, is longer then five bytes, and is not a word found in the dictionary. If the password is in a dictionary, a computer vandal may be able to guess the password by using a "brute force attack." (A brute force attack is one in which a computer vandal uses a userid and writes a program to try different passwords that are generated from a dictionary.) A password also should expire after a certain length of time and not be reused by the same user.
Oracle now has the capability of providing password management when using database-level authentication. This is accomplished by setting parameters on a profile and assigning that profile to a user. A profile is a database entity that will specify resource limits, and when a profile is assigned to a user, it enforces those limits on the user. A profile can be created using the Enterprise Manager or SQL*Plus. The database must have resource limits turned on in order for the profile resource limits to take affect. You do this by setting the RESOURCE_LIMIT parameter in the init.ora file to TRUE. A profile can limit the number of sessions, the CPU usage per session, the number of CPU calls, the logical reads, the logical reads per call, idle time, and connect time. The profile can prevent computer vandals from utilizing all the resources from a computer in a denial-of-service attack.
The profile can now enforce password management rules, which are options that you may elect to be used:
Page 569
Be a minimum of four characters in lengthNot equal the userid
Include at least one alpha, one numeric, and one punctuation mark
Not match any word on an internal list of simple words, such as welcome, account, database, user, and so on.
Differ from the previous password by at least three characters.
Using ORAPWDThe ORAPWD utility is executed at the command prompt of an operating system. Use the following steps:
ORAPWD FILE=filename PASSWORD=password ENTRIES=max_users
Page 570
The SHARED value will allow a password file to be used by multiple databases. However, the only users recognized by a SHARED password file are SYS and INTERNAL, and you cannot add users to a SHARED password file.
GRANT SYSDBA TO jefferson
GRANT SYSOPER TO smith
NOTE |
Use the REVOKE command to remove users from the password file.n |
Using SYSDBAThe privilege SYSDBA permits the user to perform the same operations as OSDBA. Likewise, the privilege SYSOPER permits the user to perform the same operations as OSOPER.
Privileged users should now be able to connect to the database by using a command similar to this:
CONNECT jefferson/password@prddb.hq.com AS SYSDBA
The use of a password file does not prevent OS-authenticated users from connecting if they meet the criteria for OS authentication.
If you want to list password file members, the view V$PWFILE_USERS will show all users that have been granted SYSDBA and SYSOPER system privileges for a database.
External authentication relies on an operating system or network authentication service. This places control outside of Oracle for password management and user authentication, although Oracle will still identify the user. A database password is not required for this type of login. To use this option, set the parameter OS_AUTHENT_PREFIX in the database init.ora file. This will tell Oracle that any user that has the same prefix as this value is to be authenticated externally. For example, if the value is set to ops$ and you have two users, ops$jones and smith, Oracle will not require a password from ops$jones, but will require one from smith. This parameter can be set to any prefix you like and even can be set to a null string by specifying an empty set of double quotes. The init.ora parameter REMOTE_OS_AUTHENT must be set to true (the default is false) to enable Oracle to use the username from a nonsecure connection. This keeps a potential computer vandal from masquerading as a valid user.
Network authentication is accomplished with Oracle Advanced Networking Option (ANO) and can authenticate users with the following technologies: