Shulou(Shulou.com)06/02 Report--

Today we briefly analyze the data validation mechanism of Oracle. In Oracle, login to the database server requires authentication. Usually, there are two levels of verification, the operating system OS level and the database server authentication mode.

When we log in to the host where the database server is located, we often log in in the next way, even if the database instance is not started at that time.

SQL > conn / as sysdba

Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.1.0

Connected as SYS

Without entering a user name and password, we can also log in to DBMS. In further experiments, we can find that even if we enter the wrong password, we will log into the system smoothly.

SQL > conn sys/ddd@orcl as sysdba

Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.1.0

Connected as SYS

However, this feature will fail in another way.

SQL > conn sys/wrongcod@orcl

Not logged on

Note: in some way, when sys users log in as sysdba, they can bypass the DBMS authentication mechanism and log in directly to the system.

Control the parameters for this function in the sqlnet.ora (NETWORK\ ADMIN) file. There is a parameter SQLNET.AUTHENTICATION_SERVICES that represents this authentication mechanism. In the documentation for Oracle 11g (Oracle Net Services Reference), this parameter is described as follows:

Use the parameter SQLNET.AUTHENTICATION_SERVICES to enable one or more authentication services. If authentication has been installed, it is recommended that this parameter be set to either none or to one of the authentication methods.

In the above description, this parameter is used to specify how the service is validated. Can be set to a variety of authentication methods, or even security authentication methods, the default value is none.

In terms of value, it is divided into two levels, OS verification and Oracle Advanced Security. The OS authentication level has three values:

Validate the value

Meaning

Remarks

None

No authentication method is used. You can only log in to the system through a valid user name and password

Default value, which is the value if it is not set in sqlnet.ora

All

For all verification methods

Can be used on multiple platforms such as windows and Linux

Nts

Specific verification methods for windows NT platform

Used only in windows

In addition, advanced authentication mechanisms such as kerberos5, radius, and dcegssapi are defined in Oracle. The way you set it up is what we often see on the windows platform:

SQLNET.AUTHENTICATION_SERVICES= (nts)

If we set this part of the value to none, we can turn off the function of validating only through OS. When we turn this setting off, try to log in:

SQL > conn / as sysdba

ERROR:

ORA-01031: insufficient permissions

SQL > conn sys/ddd@orcl as sysdba

ERROR:

ORA-01017: invalid username / password; login denied

There is one thing to note that logins authenticated by OS are rejected. Although sqlnet.ora is a text file, it can take effect without restarting DBMS after modification.

One problem to note is that our default OS authentication login is essentially not unauthenticated, but verified at the operating system level. In windows, users who install oracle will automatically join an ora_dba group. Verification at the operating system level is to verify whether the current user belongs to the ora_dba group and perform operations. In Unix/Linux, there is also a group of oinstall, and the execution of the operation also belongs to this group of users.

Finally, we should note that this validation parameter of Oracle is a problem-prone security vulnerability. If an illegal user manages to break the host username and password, and Oracle sets a single OS authentication, the security of the database is nothing to speak of. Therefore, from a security point of view, at least set this to none, and raise the permission to modify sqlnet.ora files to be exclusive to root users, reject general user modifications, and reject this single authentication method.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.