patternModerate
Why is OS authentication considered poor security for Oracle databases?
Viewed 0 times
whydatabasesconsideredauthenticationpoorsecurityfororacle
Problem
Oracle is deprecating OS authentication according to the Oracle Database Security Guide, which says
Be aware that the REMOTE_OS_AUTHENT
parameter was deprecated in Oracle
Database 11g Release 1 (11.1), and is
retained only for backward
compatibility.
In addition, most security information and tools consider
OS (external) authentication to be a security problem. I am trying to understand why this is the case. Here are some advantages I see of OS authentication:
Be aware that the REMOTE_OS_AUTHENT
parameter was deprecated in Oracle
Database 11g Release 1 (11.1), and is
retained only for backward
compatibility.
In addition, most security information and tools consider
OS (external) authentication to be a security problem. I am trying to understand why this is the case. Here are some advantages I see of OS authentication:
- Without OS Authentication applications must store passwords in a variety of applications each with their own security model and vulnerabilities.
- Domain authentication already has to be secure because if it is not then database security just slows down access to the database, but cannot prevent it.
- Users that only have to remember one domain password can be made to create more secure domain passwords more easily than they can be made to create even less secure database passwords as the number of different databases they must connect to increases.
Solution
Consider the following scenario:
That's not only laughably easy to spoof, but putting on my cynic's hat, Oracle can't make any more money selling you their fancy single sign-on product... Which by the way does fulfill all the points you raise as advantages of OS-level auth. Two passwords better than one is entirely spurious; most people will set them to be the same anyway (there's no mechanism in Oracle to prevent this).
The general principle is that it is extremely difficult to defend in software when an attacker has physical access. And never trust the client.
- There is a Unix user named
gaiuson the Oracle server with external authentication, so in Oracle there is a corresponding user calledops$gaius. When logged into a shell, I can also log straight into my Oracle schema, and my cron jobs don't need a password embedded in script either.
- Remote OS authentication is permitted, on the assumption that the LAN is 100% secure and the clients can be trusted (same as
rlogin/rshused to be normally allowed)
- An attacker gets his or her laptop onto the LAN by whatever means, knows that I work there, and creates a local user on their laptop called
gaiusand runs SQL*Plus as that user
- Oracle sees (i.e.
OSUSERinV$SESSION) isgaiusand logs that remote user in asops$gaius
That's not only laughably easy to spoof, but putting on my cynic's hat, Oracle can't make any more money selling you their fancy single sign-on product... Which by the way does fulfill all the points you raise as advantages of OS-level auth. Two passwords better than one is entirely spurious; most people will set them to be the same anyway (there's no mechanism in Oracle to prevent this).
The general principle is that it is extremely difficult to defend in software when an attacker has physical access. And never trust the client.
Context
StackExchange Database Administrators Q#299, answer score: 16
Revisions (0)
No revisions yet.