Oracle7 Server Administrator's Guide
User Authentication
This section describes aspects of authenticating users, and includes the following topics:
Depending on the way you want user identities to be authenticated before they are allowed to create a database session, there are two ways to define users.
1. You can configure Oracle so that it performs both identification and authentication of users.
2. You can configure Oracle so that it performs only the identification of users (leaving authentication up to the operating system or network security service).
You can use the following statement to create a user who is identified and authenticated by Oracle:
CREATE USER scott IDENTIFIED BY tiger;
Use the following command to create a user who is identified by Oracle and authenticated by the operating system or a network service:
CREATE USER scott IDENTIFIED EXTERNALLY;
Using CREATE USER IDENTIFIED EXTERNALLY, database administrators can create database accounts that must be authenticated via the operating system and cannot be authenticated using a password. By default, Oracle only allows operating system authenticated logins over secure connections. Setting the initialization parameter REMOTE_OS_AUTHENT to TRUE allows the RDBMS to trust the client's operating system username received over a non-secure connection and use it for account access. When creating a user, you can specify how that user is authenticated by Oracle. Of course, you can alter any user authentication methods later, after creating a user.
See Also: For information about network authentication, see Oracle7 Server Distributed Systems, Volume I.
Operating System Authentication
With operating system authentication your database relies on the underlying operating system to restrict access to database accounts. A database password is not used for this type of login. If your operating system permits, you can have it authenticate users. If you do so, set the parameter OS_AUTHENT_PREFIX, and use this prefix in Oracle usernames. This parameter defines a prefix that Oracle adds to the beginning of every user's operating system account name. Oracle compares the prefixed username with the Oracle usernames in the database when a user attempts to connect.
For example, assume that OS_AUTHENT_PREFIX is set as follows:
OS_AUTHENT_PREFIX=OPS$
If a user with an operating system account named "TSMITH" is to connect to an Oracle database and be authenticated by the operating system, Oracle checks that there is a corresponding database user "OPS$TSMITH" and, if so, allows the user to connect. All references to a user authenticated by the operating system must include the prefix, as seen in "OPS$TSMITH".
The default value of this parameter is "OPS$" for backward compatibility with previous versions of Oracle. However, you might prefer to set the prefix value to some other string or a null string (an empty set of double quotes: ""). Using a null string eliminates the addition of any prefix to operating system account names, so that Oracle usernames exactly match operating system usernames.
After you set OS_AUTHENT_PREFIX, it should remain the same for the life of a database. If you change the prefix, any database username that includes the old prefix cannot be used to establish a connection, unless you alter the username to have it use password authentication.
See Also: The text of the OS_AUTHENT_PREFIX parameter is case-sensitive on some operating systems. See your operating system-specific Oracle documentation for more information about this initialization parameter.
Operating System Authentication and Network Clients
If you want to have the operating system authenticate a user, by default that user cannot connect to the database over SQL*Net. This means the user cannot connect using a multi-threaded server, as this connection uses SQL*Net. This restriction is the default because a remote user could impersonate another operating system user over a network connection.
If you are not concerned with this security risk and want to use operating system user authentication with network clients, set the parameter REMOTE_OS_AUTHENT (default is FALSE)in the database's parameter file to TRUE. The change will take effect the next time you start the instance and mount the database.
Database Authentication
To have Oracle authenticate a user, specify a password for the user when you create or alter the user. Users can change their password at any time. Passwords are stored in an encrypted format. Each password must be made up of single-byte characters, even if your database uses a multi-byte character set.
See Also: For more information about valid passwords, see the Oracle7 Server SQL Reference.