I made an entry in my weblog on 6th November discussing a thread on the ORACLE-L list where Jared Still had pointed out a tip in the latest edition of exploring Oracle whereby the tip author suggested setting the remote_os_authent initialisation parameter to true. Jared recognised that this is not good advice and i reiterated this in my blog posting.
Jonathan Rabson who is the editor of Exploring Oracle has responded to my post as a comment in my blog. I felt as this original post was a few weeks ago and as this is an important issue it is worth promoting his comments to a blog entry to bring it to everyone who read the first posts attention. Thanks to Jonathan for posting this detailed response here.
Here is his post:
Regarding security problems involved with setting REMOTE_OS_AUTHENT to TRUE:
As the editor of Exploring Oracle, I take full responsibility for the tip that Jared has mentioned. The general concept mentioned in the tip of running a script locally (which of course doesn't require that parameter), without storing passwords, is still a sound one, and I should mention that the tip's author is an extremely experienced and gifted DBA. But I agree that the tip left a wrong impression by not supplying more context, and that's really my fault in this case. Although some third-party applications have been written in a way that requires this setting, it's important for people to understand the security risks involved, and it would have been better if we had mentioned these. I guess it just comes down to the fact that we're all human.
There are actually a number of other sources that mention how to set up remote OS authentication without mentioning the risks. For instance, look at www.dbaoncall.net/references/ht_os_auth_win.html.
At any rate, I appreciate that Jared has contacted me about this matter. The tip in question has been removed from our website (www.elementkjournals.com) so that we can cover this topic in a more complete way.
Although the December issue has already been printed, we do have a really outstanding article in the January issue by a talented security expert that will address this security problem, among others. This article will show you 20 ways to secure your database host. In addition, our March issue will cover the remote authentication problem in a more detailed manner. And, for the spring, we're lining up some really interesting security-related articles involving the 10g database.
Anyhow, I apologize if anybody has rushed out and set the REMOTE_OS_AUTHENT parameter on their production machine immediately after reading the tip. Generally, we advise that people don't run out and do something on their production machines without investigating whether the technique is appropriate for their particular circumstance. As always, feel free to contact us about any questions or comments you have about Exploring Oracle.
Thanks,
-Jonathan
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Oracle announce critical patch update schedule - beginning January 18 2005"] [Next entry: "Colin Maxwell talks about WS-Security in JWSDP 1.5"]
November 2004
- Another good paper by Howard Rogers on read-only tables - 11/01/2004 by 11/01/2004
- The 9.2.0.6 patch set is out - 11/02/2004 by 11/02/2004
- Nice four part paper on label security by Jim Czuprynski - 11/03/2004 by 11/03/2004
- Howard Rogers has a new ebook out - 11/04/2004 by 11/04/2004
- Patrik Karlsson releases OScanner - A new free Oracle security vulnerability scanner - 11/05/2004 by 11/05/2004
- Post on ORACLE-L : Exploring Oracle November 2004 and REMOTE_OS_AUTHENT - 11/06/2004 by 11/06/2004
- Two great papers and tools by Tim Gorman - 11/07/2004 by 11/07/2004
- A lot of new pages on my site - 11/08/2004 by 11/08/2004
- A new Oracle default password checking tool is available - 11/09/2004 by 11/09/2004
- Small update to the default password check scripts - 11/10/2004 by 11/10/2004
- Colin Maxwell talks about securing web services using JDev and WS-Security - 11/11/2004 by 11/11/2004
- Hack notes books - 11/12/2004 by 11/12/2004
- Interesting discussion on DBMS_SUPPORT versions - 11/13/2004 by 11/13/2004
- Exploits and blog software - 11/14/2004 by 11/14/2004
- Default password lists and updates - 11/15/2004 by 11/15/2004
- 600 Oracle default usernames/passwords available - 11/16/2004 by 11/16/2004
- Two more "takes" on the Gartner / Oracle exploit information release reluctance - 11/17/2004 by 11/17/2004
- An interesting case of information disclosure - 11/18/2004 by 11/18/2004
- Three more news sites are talking about the new patch schedule - 11/19/2004 by 11/19/2004
- More news on the new patch schedule - 11/20/2004 by 11/20/2004
- Frank Nimphius talks about showing/hiding UIX components based on isUserInRole() - 11/21/2004 by 11/21/2004
- Amis blog - shows how to create a certificate and configure OC4J to use it - 11/22/2004 by 11/22/2004
- Oracle secalert_us have sent out emails to tell some customers about the quarterly patch schedule - 11/23/2004 by 11/23/2004
- And still more news stories - 11/24/2004 by 11/24/2004
- Colin Maxwell talks about reducing the scope for encryption - 11/25/2004 by 11/25/2004
- James Morle's book is available as a free pdf - 11/26/2004 by 11/26/2004
- Edward Stangler talks about running catpatch - 11/27/2004 by 11/27/2004
- Looks like 9.2.0.6 is available on more platforms now - 11/28/2004 by 11/28/2004
- A good list of Oracle security check items - 11/29/2004 by 11/29/2004
- Edward Stanglers next post in the not running catpatch.sql series - 11/30/2004 by 11/30/2004
Archives
Syndication
Powered by gm-rss 2.0.0
