Enrico Cairo, profile picture
Uploaded byEnrico Cairo
PDF, PPTX67 views

Proxy authentication Itoug TechDays 2019

This document discusses proxy user authentication in Oracle databases. It provides scenarios where a normal user is granted privileges but cannot access certain objects, while a connection through a proxy user allows access. The document also discusses auditing proxy authentication sessions and checking which authentication method was used through a login.

Embed presentation

Download as PDF, PPTX
PROXYUSERAUTHENTICATION Enrico Cairo 31/01/2019 1
- - 31/01/2019Proxy User Authentication 2 https://www.facebook.com/AskDbaForInfo/ https://www.linkedin.com/in/cairoenrico/ https://twitter.com/DbaAsk http://www.ask-dba-for.Info
- - MISUNDERSTANDING 31/01/20193Proxy User Authentication Proxy User Authentication != User Authentication by Proxy
- - SCENARIO 31/01/20194Proxy User Authentication Normal user GRANTS select any table drop any table
- - SCENARIO 31/01/20195Proxy User Authentication SQL> conn / as sysdba Connected. SQL> CREATE TABLE sys.dummy (id NUMBER); Table created. SQL> CREATE TABLE system.dummy (id NUMBER); Table created. SQL> CREATE USER jane IDENTIFIED BY "doe" 2 DEFAULT TABLESPACE users 3 TEMPORARY TABLESPACE temp 4 ACCOUNT UNLOCK; User created. SQL> GRANT CREATE SESSION TO jane; Grant succeeded. SQL> GRANT SELECT ANY TABLE TO jane; Grant succeeded. SQL> GRANT DROP ANY TABLE TO jane; Grant succeeded. SQL> SQL> conn jane/doe Connected. SQL> DROP TABLE sys.dummy; DROP TABLE sys.dummy * ERROR at line 1: ORA-00942: table or view does not exist SQL> SELECT * FROM sys.dummy; SELECT * FROM sys.dummy * ERROR at line 1: ORA-00942: table or view does not exist SQL> SELECT * FROM system.dummy; no rows selected SQL> DROP TABLE system.dummy; Table dropped. SQL>
- - ARE THEY REAL WORKAROUNDS? 31/01/20196Proxy User Authentication whenever sqlerror exit column password new_value pw declare l_passwd varchar2(45); begin select password into l_passwd from sys.dba_users where username = upper('&1'); end; / select password from sys.dba_users where username = upper( '&1' ) / alter user &1 identified by Hello; connect &1/hello alter user &1 identified by values '&pw'; show user whenever sqlerror continue SQL> alter session set current schema = ‘john’;
- - REAL WORKAROUND 31/01/20197Proxy User Authentication Since Oracle 9i Release 2 SQL> create user PROXY identified by PROXY default tablespace USERS; SQL> alter user OWNER grant connect through PROXY; SQL> conn PROXY[OWNER]/PROXY SQL> show user USER is "OWNER"
- - CHECKING 31/01/20198Proxy User Authentication SQL> conn / as sysdba Connected. SQL> REVOKE DROP ANY TABLE FROM jane; Revoke succeeded. SQL> CREATE USER john IDENTIFIED BY "doe" 2 DEFAULT TABLESPACE users 3 TEMPORARY TABLESPACE temp 4 ACCOUNT UNLOCK; User created. SQL> GRANT CREATE SESSION TO john; Grant succeeded. SQL> GRANT RESOURCE TO john; Grant succeeded. SQL> ALTER USER john QUOTA UNLIMITED ON users; User altered. SQL> CREATE TABLE john.dummy (id NUMBER); Table created. SQL> ALTER USER john GRANT CONNECT THROUGH jane; User altered. SQL> AUDIT SESSION BY jane; Audit succeeded. SQL> conn jane/doe Connected. SQL> SELECT * FROM john.dummy; no rows selected SQL> DROP TABLE john.dummy; DROP TABLE john.dummy * ERROR at line 1: ORA-01031: insufficient privileges SQL> conn jane[john]/doe Connected. SQL> show user USER is "john" SQL> DROP TABLE dummy; Table dropped.
- - AUDIT 31/01/20199Proxy User Authentication SQL> conn / as sysdba Connected. SQL> ALTER SESSION SET NLS_DATE_FORMAT = 'yyyy-mm-dd hh24:mi:ss'; SQL> SET LINES 132 PAGES 60 TRIMS ON SQL> COL username for a13 SQL> COL proxy_user for a13 SQL> COL obj_name for a13 SQL> COL timestamp for a20 SQL> SELECT a.username, 2 b.username proxy_user, 3 a.obj_name, 4 a.returncode, 5 a.timestamp, 6 a.sessionid, 7 a.proxy_sessionid 8 FROM dba_audit_trail a, 9 dba_audit_trail b 10 WHERE a.action_name = 'DROP TABLE' 11 AND a.proxy_sessionid = b.sessionid 12 AND b.action_name = 'PROXY AUTHENTICATION ONLY' 13 ORDER BY sessionid; USERNAME PROXY_USER OBJ_NAME RETURNCODE TIMESTAMP SESSIONID PROXY_SESSIONID ------------- ------------- ------------- ---------- -------------------- ---------- --------------- JOHN JANE DUMMY 0 2018-09-14 14:27:44 295832023 295832022
- - REMARKS 31/01/201910Proxy User Authentication SQL> ALTER USER john ACCOUNT LOCK; User altered. SQL> conn jane[john]/doe ERROR: ORA-28000: the account is locked Warning: You are no longer connected to ORACLE. SQL> What happens if user ‘john’ is locked and ‘jane’ tries to login through him?
- - REMARKS 31/01/201911Proxy User Authentication SQL> conn jane[john]/doe Connected. SQL> col "whoami" for a25 SQL> col "who am i" for a25 SQL> col "sid" for a10 SQL> SELECT sys_context('userenv','session_user') "whoami", 2 sys_context('userenv','proxy_user') "who am i", 3 sys_context('userenv','sid') "sid" 4 FROM dual; whoami who am i sid ------------------------- ------------------------- ---------- JOHN JANE 878 SQL> conn jane/doe Connected. SQL> SELECT sys_context('userenv','session_user') "whoami", 2 sys_context('userenv','proxy_user') "who am i", 3 sys_context('userenv','sid') "sid" 4 FROM dual; whoami who am i sid ------------------------- ------------------------- ---------- JANE 878 SQL> Can I check which kind of method I’m using for login, similar to *nix environment?
- - REMARKS 01/02/201912Proxy User Authentication SQL> SELECT * FROM proxy_users; PROXY CLIENT AUT FLAGS ------------------------- ------------------------- --- ----------------------------------- JANE JOHN NO PROXY MAY ACTIVATE ALL CLIENT ROLES SQL> col username for a25 SQL> col network_service_banner for a100 SQL> SELECT s.username, s.sid, s.serial#, s.state, c.network_service_banner 2 FROM v$session s, 3 v$session_connect_info c 4 WHERE s.sid = c.sid 5 AND s.serial# = c.serial# 6 AND c.authentication_type = 'PROXY'; USERNAME SID SERIAL# STATE ------------------------------ ---------- ---------- ------------------- NETWORK_SERVICE_BANNER ---------------------------------------------------------------------------------------------------- JOHN 878 19357 WAITING Oracle Bequeath NT Protocol Adapter for Linux: Version 11.2.0.3.0 - Production JOHN 878 19357 WAITING Oracle Advanced Security: authentication service for Linux: Version 11.2.0.3.0 - Production JOHN 878 19357 WAITING Oracle Advanced Security: encryption service for Linux: Version 11.2.0.3.0 - Production JOHN 878 19357 WAITING Oracle Advanced Security: crypto-checksumming service for Linux: Version 11.2.0.3.0 - Production Can I realize someone is logged into my instance by using this feature without looking audit trail?

More Related Content

PDF
Using database in android
byUniversity of Potsdam
 
PDF
Php Security - OWASP
byMizno Kruge
 
PDF
Taking the pain out of signing users in
byFrancois Marier
 
PDF
You're still using passwords on your site?
byFrancois Marier
 
PPTX
CakePHP workshop
byWalther Lalk
 
PDF
Passwords suck, but centralized proprietary services are not the answer
byFrancois Marier
 
PDF
Persona: a federated and privacy-protecting login system for the whole Web
byFrancois Marier
 
TXT
Exemple de création de base
bySaber LAJILI
 
Using database in android
byUniversity of Potsdam
 
Php Security - OWASP
byMizno Kruge
 
Taking the pain out of signing users in
byFrancois Marier
 
You're still using passwords on your site?
byFrancois Marier
 
CakePHP workshop
byWalther Lalk
 
Passwords suck, but centralized proprietary services are not the answer
byFrancois Marier
 
Persona: a federated and privacy-protecting login system for the whole Web
byFrancois Marier
 
Exemple de création de base
bySaber LAJILI
 

Similar to Proxy authentication Itoug TechDays 2019

PPTX
User Information in Oracle introduction.pptx
byAzarHamid
 
PPT
ch03_2.pptfsfsfsfsfsfsfsfsfsfsfsffsssfsffff
byDiaaUliyan
 
PPT
Introduction DB and Database Users Privileges.ppt
byZamriMohamed5
 
PDF
Security in ORACLE RDBMS
byManohar Tatwawadi
 
PDF
dba
byVikasVerma9196
 
PPTX
Administration and Management of Users in Oracle / Oracle Database Storage st...
byrajeshkumarcse2001
 
PPT
Controlling User Access -Data base
bySalman Memon
 
PDF
OER-Unit 1 authentication -Lecturer Notes
byGirija Muscut
 
PPTX
Oracle Database 23c Security New Features.pptx
bySatishbabu Gunukula
 
PPTX
Database 12c
byZoran Pavlovic
 
PPT
Less06 users
byImran Ali
 
PDF
1.1 Intro to WinDDI.pdf
byssuser8b6c85
 
PDF
Postgres seminar
bymahsanaru
 
PDF
Oracle
byYo Seven
 
PPTX
Oracle Database Security For Developers
bySzymon Skorupinski
 
PPT
DB2UDB_the_Basics Day 3
byPranav Prakash
 
PPTX
Db pre
byfrrobin
 
PDF
Users66666666666666666666666666666666666666
by227567
 
PDF
2008 Collaborate IOUG Presentation
byBiju Thomas
 
PDF
Oracle BI EE - Act As
byRick Brobbel
 
User Information in Oracle introduction.pptx
byAzarHamid
 
ch03_2.pptfsfsfsfsfsfsfsfsfsfsfsffsssfsffff
byDiaaUliyan
 
Introduction DB and Database Users Privileges.ppt
byZamriMohamed5
 
Security in ORACLE RDBMS
byManohar Tatwawadi
 
dba
byVikasVerma9196
 
Administration and Management of Users in Oracle / Oracle Database Storage st...
byrajeshkumarcse2001
 
Controlling User Access -Data base
bySalman Memon
 
OER-Unit 1 authentication -Lecturer Notes
byGirija Muscut
 
Oracle Database 23c Security New Features.pptx
bySatishbabu Gunukula
 
Database 12c
byZoran Pavlovic
 
Less06 users
byImran Ali
 
1.1 Intro to WinDDI.pdf
byssuser8b6c85
 
Postgres seminar
bymahsanaru
 
Oracle
byYo Seven
 
Oracle Database Security For Developers
bySzymon Skorupinski
 
DB2UDB_the_Basics Day 3
byPranav Prakash
 
Db pre
byfrrobin
 
Users66666666666666666666666666666666666666
by227567
 
2008 Collaborate IOUG Presentation
byBiju Thomas
 
Oracle BI EE - Act As
byRick Brobbel
 

Recently uploaded

DOCX
Cost Effective Design for Streaming Data Systems.docx
bytotabrez1
 
PDF
Educational Attainment and Household Consumption Inequality in Bangladesh: A ...
byFardeen Ahmed
 
PDF
Apache Iceberg - Transactional Storage for Large Datasets
byMichal Gancarski
 
PDF
Serverless Data Infrastructure (examples)
byMichal Gancarski
 
PDF
Top 11 Best Sites Buy Gmail Accounts_ A Complete Guide 2025–26.pdf
bynewpvait.com
 
PDF
Machines, Language & Intelligence: The Evolution of NLP
byayesha butalia
 
PDF
BUKTI KEMENANGAN MEMBER KANCAH4D – WD PULUHAN JUTA DARI STARLIGHT PRINCESS!
bykancah4d
 
PDF
Bratislava Tableau User group (BA_TUG) - 15_01_2026 - in-person meeting.pdf
byPavol Hromadka
 
PDF
[DSC Europe 25] Elena Menshikova - AI-Powered Operational Excellence: Revolut...
byDataScienceConferenc1
 
PDF
Time Travel on ACID - A Gentle Introduction To Apache Iceberg
byMichal Gancarski
 
PPTX
Hepatitis.pptx slideshare by me myself and you nknkhk
byPB2013DhanashreeNaik
 
PDF
National Seminar Brochure 2026 FOE.pdfvv
byMAAPARVATITENTHOUSE
 
PPTX
Data Storytelling with Power BI: From Raw Data to Executive Dashboards
bysaharmughal9
 
PPTX
CC.pptx ffvdv fgfgdrgrgrgbtrgvtygvcrterewe
byPB2013DhanashreeNaik
 
PPTX
Narratives of Makuapo A narrative Study.pptx
byAiraAntonetteVZarcil
 
PPTX
Investigatory-Project-on-Drug-Addiction-Final.pptx
byYashAggarwal233278
 
PPT
linear_algebra mldataaimachiee leARNINGML
byssuser70a8841
 
PPTX
Analyzing the Impact of Sleep Behavior on Academic (1).pptx
byuswaihsan1
 
PPTX
WEP PROGRAMMING textbook important notes.pptx
byRKARTHIKSHYAVI
 
PPTX
[DSC Europe 25] Mijat Kustudic - Building Financial Intelligence with AI Agen...
byDataScienceConferenc1
 
Cost Effective Design for Streaming Data Systems.docx
bytotabrez1
 
Educational Attainment and Household Consumption Inequality in Bangladesh: A ...
byFardeen Ahmed
 
Apache Iceberg - Transactional Storage for Large Datasets
byMichal Gancarski
 
Serverless Data Infrastructure (examples)
byMichal Gancarski
 
Top 11 Best Sites Buy Gmail Accounts_ A Complete Guide 2025–26.pdf
bynewpvait.com
 
Machines, Language & Intelligence: The Evolution of NLP
byayesha butalia
 
BUKTI KEMENANGAN MEMBER KANCAH4D – WD PULUHAN JUTA DARI STARLIGHT PRINCESS!
bykancah4d
 
Bratislava Tableau User group (BA_TUG) - 15_01_2026 - in-person meeting.pdf
byPavol Hromadka
 
[DSC Europe 25] Elena Menshikova - AI-Powered Operational Excellence: Revolut...
byDataScienceConferenc1
 
Time Travel on ACID - A Gentle Introduction To Apache Iceberg
byMichal Gancarski
 
Hepatitis.pptx slideshare by me myself and you nknkhk
byPB2013DhanashreeNaik
 
National Seminar Brochure 2026 FOE.pdfvv
byMAAPARVATITENTHOUSE
 
Data Storytelling with Power BI: From Raw Data to Executive Dashboards
bysaharmughal9
 
CC.pptx ffvdv fgfgdrgrgrgbtrgvtygvcrterewe
byPB2013DhanashreeNaik
 
Narratives of Makuapo A narrative Study.pptx
byAiraAntonetteVZarcil
 
Investigatory-Project-on-Drug-Addiction-Final.pptx
byYashAggarwal233278
 
linear_algebra mldataaimachiee leARNINGML
byssuser70a8841
 
Analyzing the Impact of Sleep Behavior on Academic (1).pptx
byuswaihsan1
 
WEP PROGRAMMING textbook important notes.pptx
byRKARTHIKSHYAVI
 
[DSC Europe 25] Mijat Kustudic - Building Financial Intelligence with AI Agen...
byDataScienceConferenc1
 

Proxy authentication Itoug TechDays 2019

  • 1.
  • 2.
    - - 31/01/2019ProxyUser Authentication 2 https://www.facebook.com/AskDbaForInfo/ https://www.linkedin.com/in/cairoenrico/ https://twitter.com/DbaAsk http://www.ask-dba-for.Info
  • 3.
    - - MISUNDERSTANDING 31/01/20193Proxy UserAuthentication Proxy User Authentication != User Authentication by Proxy
  • 4.
    - - SCENARIO 31/01/20194Proxy UserAuthentication Normal user GRANTS select any table drop any table
  • 5.
    - - SCENARIO 31/01/20195Proxy UserAuthentication SQL> conn / as sysdba Connected. SQL> CREATE TABLE sys.dummy (id NUMBER); Table created. SQL> CREATE TABLE system.dummy (id NUMBER); Table created. SQL> CREATE USER jane IDENTIFIED BY "doe" 2 DEFAULT TABLESPACE users 3 TEMPORARY TABLESPACE temp 4 ACCOUNT UNLOCK; User created. SQL> GRANT CREATE SESSION TO jane; Grant succeeded. SQL> GRANT SELECT ANY TABLE TO jane; Grant succeeded. SQL> GRANT DROP ANY TABLE TO jane; Grant succeeded. SQL> SQL> conn jane/doe Connected. SQL> DROP TABLE sys.dummy; DROP TABLE sys.dummy * ERROR at line 1: ORA-00942: table or view does not exist SQL> SELECT * FROM sys.dummy; SELECT * FROM sys.dummy * ERROR at line 1: ORA-00942: table or view does not exist SQL> SELECT * FROM system.dummy; no rows selected SQL> DROP TABLE system.dummy; Table dropped. SQL>
  • 6.
    - - ARE THEYREAL WORKAROUNDS? 31/01/20196Proxy User Authentication whenever sqlerror exit column password new_value pw declare l_passwd varchar2(45); begin select password into l_passwd from sys.dba_users where username = upper('&1'); end; / select password from sys.dba_users where username = upper( '&1' ) / alter user &1 identified by Hello; connect &1/hello alter user &1 identified by values '&pw'; show user whenever sqlerror continue SQL> alter session set current schema = ‘john’;
  • 7.
    - - REAL WORKAROUND 31/01/20197ProxyUser Authentication Since Oracle 9i Release 2 SQL> create user PROXY identified by PROXY default tablespace USERS; SQL> alter user OWNER grant connect through PROXY; SQL> conn PROXY[OWNER]/PROXY SQL> show user USER is "OWNER"
  • 8.
    - - CHECKING 31/01/20198Proxy UserAuthentication SQL> conn / as sysdba Connected. SQL> REVOKE DROP ANY TABLE FROM jane; Revoke succeeded. SQL> CREATE USER john IDENTIFIED BY "doe" 2 DEFAULT TABLESPACE users 3 TEMPORARY TABLESPACE temp 4 ACCOUNT UNLOCK; User created. SQL> GRANT CREATE SESSION TO john; Grant succeeded. SQL> GRANT RESOURCE TO john; Grant succeeded. SQL> ALTER USER john QUOTA UNLIMITED ON users; User altered. SQL> CREATE TABLE john.dummy (id NUMBER); Table created. SQL> ALTER USER john GRANT CONNECT THROUGH jane; User altered. SQL> AUDIT SESSION BY jane; Audit succeeded. SQL> conn jane/doe Connected. SQL> SELECT * FROM john.dummy; no rows selected SQL> DROP TABLE john.dummy; DROP TABLE john.dummy * ERROR at line 1: ORA-01031: insufficient privileges SQL> conn jane[john]/doe Connected. SQL> show user USER is "john" SQL> DROP TABLE dummy; Table dropped.
  • 9.
    - - AUDIT 31/01/20199Proxy UserAuthentication SQL> conn / as sysdba Connected. SQL> ALTER SESSION SET NLS_DATE_FORMAT = 'yyyy-mm-dd hh24:mi:ss'; SQL> SET LINES 132 PAGES 60 TRIMS ON SQL> COL username for a13 SQL> COL proxy_user for a13 SQL> COL obj_name for a13 SQL> COL timestamp for a20 SQL> SELECT a.username, 2 b.username proxy_user, 3 a.obj_name, 4 a.returncode, 5 a.timestamp, 6 a.sessionid, 7 a.proxy_sessionid 8 FROM dba_audit_trail a, 9 dba_audit_trail b 10 WHERE a.action_name = 'DROP TABLE' 11 AND a.proxy_sessionid = b.sessionid 12 AND b.action_name = 'PROXY AUTHENTICATION ONLY' 13 ORDER BY sessionid; USERNAME PROXY_USER OBJ_NAME RETURNCODE TIMESTAMP SESSIONID PROXY_SESSIONID ------------- ------------- ------------- ---------- -------------------- ---------- --------------- JOHN JANE DUMMY 0 2018-09-14 14:27:44 295832023 295832022
  • 10.
    - - REMARKS 31/01/201910Proxy UserAuthentication SQL> ALTER USER john ACCOUNT LOCK; User altered. SQL> conn jane[john]/doe ERROR: ORA-28000: the account is locked Warning: You are no longer connected to ORACLE. SQL> What happens if user ‘john’ is locked and ‘jane’ tries to login through him?
  • 11.
    - - REMARKS 31/01/201911Proxy UserAuthentication SQL> conn jane[john]/doe Connected. SQL> col "whoami" for a25 SQL> col "who am i" for a25 SQL> col "sid" for a10 SQL> SELECT sys_context('userenv','session_user') "whoami", 2 sys_context('userenv','proxy_user') "who am i", 3 sys_context('userenv','sid') "sid" 4 FROM dual; whoami who am i sid ------------------------- ------------------------- ---------- JOHN JANE 878 SQL> conn jane/doe Connected. SQL> SELECT sys_context('userenv','session_user') "whoami", 2 sys_context('userenv','proxy_user') "who am i", 3 sys_context('userenv','sid') "sid" 4 FROM dual; whoami who am i sid ------------------------- ------------------------- ---------- JANE 878 SQL> Can I check which kind of method I’m using for login, similar to *nix environment?
  • 12.
    - - REMARKS 01/02/201912Proxy UserAuthentication SQL> SELECT * FROM proxy_users; PROXY CLIENT AUT FLAGS ------------------------- ------------------------- --- ----------------------------------- JANE JOHN NO PROXY MAY ACTIVATE ALL CLIENT ROLES SQL> col username for a25 SQL> col network_service_banner for a100 SQL> SELECT s.username, s.sid, s.serial#, s.state, c.network_service_banner 2 FROM v$session s, 3 v$session_connect_info c 4 WHERE s.sid = c.sid 5 AND s.serial# = c.serial# 6 AND c.authentication_type = 'PROXY'; USERNAME SID SERIAL# STATE ------------------------------ ---------- ---------- ------------------- NETWORK_SERVICE_BANNER ---------------------------------------------------------------------------------------------------- JOHN 878 19357 WAITING Oracle Bequeath NT Protocol Adapter for Linux: Version 11.2.0.3.0 - Production JOHN 878 19357 WAITING Oracle Advanced Security: authentication service for Linux: Version 11.2.0.3.0 - Production JOHN 878 19357 WAITING Oracle Advanced Security: encryption service for Linux: Version 11.2.0.3.0 - Production JOHN 878 19357 WAITING Oracle Advanced Security: crypto-checksumming service for Linux: Version 11.2.0.3.0 - Production Can I realize someone is logged into my instance by using this feature without looking audit trail?