Oracle7 Server Concepts

User Authentication

To prevent unauthorized use of a database username, Oracle provides user validation via three different methods for normal database users:

authentication by the operating system

authentication by a network authentication service

authentication by the associated Oracle database

For simplicity, one method is usually used to authenticate all users of a database. However, Oracle allows use of all methods within the same database instance.

Oracle also encrypts passwords during transmission to ensure the security of client/server authentication.

Because database administrators perform special database operations, Oracle requires special authentication procedures for database administrators.

Authenticating Users Using the Operating System

If your operating system permits, Oracle can use information maintained by the operating system to authenticate users. The benefits of operating system authentication are the following:

Users can connect to Oracle more conveniently (without specifying a username or password). For example, a user can invoke SQL*Plus and skip the username and password prompts by entering

		SQLPLUS /

Control over user authorization is centralized in the operating system; Oracle need not store or manage user passwords. However, Oracle still maintains usernames in the database.

Username entries in the database and operating system audit trails correspond.

If the operating system is used to authenticate database users, there are some special considerations with respect to distributed database environments and database links; see Chapter 21, "Distributed Databases", for information on this topic.

Additional Information: For more information about authenticating via your operating system, see your Oracle operating system-specific documentation.

Authenticating Users Using Network Authentication

If network authentication services, such as DCE, Kerberos, or SESAME, are available to you, Oracle can accept authentication from the network service. To use a network authentication service with Oracle, you must also have the Oracle Secure Network Services product.

If you use a network authentication service, there are some special considerations for network roles and database links. See Oracle7 Server Distributed Systems, Volume I for more information about network authentication.

Authenticating Users Using the Oracle Database

Oracle can authenticate users attempting to connect to a database by using information stored in that database. You must use this method when the operating system cannot be used for database user validation.

When Oracle uses database authentication, you create each user with an associated password. A user provides the correct password when establishing a connection to prevent unauthorized use of the database. Oracle stores a user's password in the data dictionary. However, all passwords are stored in an encrypted format to maintain security for the user. A user can change his/her password at any time.

Password Encryption while Connecting

To better protect the confidentiality of your passwords, Oracle allows you to encrypt passwords during client/server and server/server connections. If you enable this functionality on the client and server machines, Oracle will encrypt passwords using a modified DES (Data Encryption Standards) algorithm before sending them across the network.

For more information about encrypting passwords in client/server systems, see Oracle7 Server Distributed Systems, Volume I.

Database Administrator Authentication

Database administrators must often perform special operations such as shutting down or starting up a database. Because these operations should not be performed by normal database users, the database administrator usernames need a more secure authentication scheme. Oracle provides a few methods for authenticating database administrators.

Depending on whether you wish to administer your database locally on the same machine on which the database resides or if you wish to administer many different database machines from a single remote client, you can choose between operating system authentication or password files to authenticate database administrators. Figure 17 - 1 illustrates the choices you have for database administrator authentication schemes.

Figure 17 - 1. Database Administrator Authentication Methods

On most operating systems, OS authentication for database administrators involves placing the OS username of the database administrator in a special group (on UNIX systems, this is the dba group) or giving that OS username a special process right.

Additional Information: For information about OS authentication of database administrators, see your Oracle operating system-specific documentation.

Password files are files used by the database to keep track of database usernames who have been granted the SYSDBA and SYSOPER privileges. These privileges allow database administrators to perform the following actions:

SYSOPER Permits you to perform STARTUP, SHUTDOWN, ALTER DATABASE OPEN/MOUNT, ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER, and includes the RESTRICTED SESSION privilege.

SYSDBA Contains all system privileges with ADMIN OPTION, and the SYSOPER system privilege; permits CREATE DATABASE and time-based recovery.

For information about password files, see the Oracle7 Server Administrator's Guide.