Help - Search - Members - Calendar
Full Version: Remote Connection Authentication Inquiry
Oracle DBA Forums > Oracle > Oracle Forum
ahmedb72
Hi,

I have two Oracle 11g R1 databases installed on two different machines (Windows XP) connected through a network. The instance name on both machines are the same but, of course, the global name are different.

When I tried logging on from one of machines as SYSDBA using a tnsname naming method, the connection established even if wrong password was incorrect. For me, this is serious security problem.

Any clarification is appreciated.

CODE
C:\Documents and Settings\Administrator>hostname
lab4pc8

C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 100.10.101.81
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 100.10.100.155


C:\Documents and Settings\Administrator>sqlplus /nolog

SQL*Plus: Release 11.1.0.7.0 - Production on Tue Mar 2 18:32:28 2010

Copyright (c) 1982, 2008, Oracle.  All rights reserved.

SQL> conn sys/anypassword@hanan as sysdba
Connected.
SQL> show parameter remote

NAME                                 TYPE        VALUE
------------------------------------ ----------- ---------
remote_dependencies_mode             string      TIMESTAMP
remote_listener                      string
remote_login_passwordfile            string      EXCLUSIVE
remote_os_authent                    boolean     FALSE
remote_os_roles                      boolean     FALSE
result_cache_remote_expiration       integer     0
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Pr
oduction
With the Partitioning, OLAP, Data Mining and Real Application Testing options

C:\Documents and Settings\Administrator>tnsping hanan
TNS Ping Utility for 32-bit Windows: Version 11.1.0.7.0 - Production on 02-MAR-2
010 18:52:28

Copyright (c) 1997, 2008, Oracle.  All rights reserved.

Used parameter files:
d:\oracle\product\11.1.0\db_1\network\admin\sqlnet.ora

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = 100.10.100.96)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = ora11g.1la
b1)))
OK (20 msec)
ahmedb72
I noticed the remote machine managed to connect to the database using OS athentication (even though the connection is unsecure), only when the logged on OS user is Administrator. The connection will succeed even if the OS password of the adminstrators on both machines are different.

In my opinion, very bad security hole!!
burleson
Hi Ahmed,

Sorry about the delay . . .

>> When I tried logging on from one of machines as SYSDBA using a tnsname naming method, the connection established even if wrong password was incorrect.

This sounds like you have enabled "external authentication".

Once logged-on to the OS, you can enter Oracle directly without additional authentication.

Read this: http://www.praetoriate.com/t_oracle_net_security_risks.htm


This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.