Oracle OS Authentication: Configuration Steps and Practical Points

Database Design_en

Published: Nov 18, 2024 / Updated: Aug 30, 2025

Oracle Database provides two authentication methods: database authentication, which uses credentials managed inside the database, and OS authentication, which relies on the operating system’s user information. Because their intended use and setup differ, this article explains Linux user creation, detailed OS authentication configuration, and the role of OS_AUTHENT_PREFIX. Security-minded best practices are also covered, making this useful for beginners through practitioners.

Table of Contents

    1. What Is Database Authentication?
    2. Advantages and Disadvantages
    3. Setup Steps: Database Authentication
    4. Best Practices
    1. What Is OS Authentication?
    2. Role of OS_AUTHENT_PREFIX
    1. Setup Steps: OS Authentication on Linux
  2. Customizing OS_AUTHENT_PREFIX
    1. Selection Points Between Database and OS Authentication
    2. Common Errors and Remedies
    3. Security Best Practices
    1. Summary: Key Points for Choosing and Managing the Right Authentication Method

1. What Is Database Authentication?

Database authentication is a method where you define user names and passwords directly in Oracle Database, and the database itself manages those credentials. Because you create users per database and centralize the credentials, this approach is well-suited to systems with multiple users where you want strict access control.

Advantages and Disadvantages

AdvantagesDisadvantages
Flexible, per-user access controlAdditional overhead for password management
Security can be enforced solely by the databaseManagement becomes complex when the user count grows

Setup Steps: Database Authentication

  1. Create a user
    Use the CREATE USER statement to create a database user.
CREATE USER hr IDENTIFIED BY hr_password;
  1. Grant privileges
    Grant the privileges required for connections.
GRANT CONNECT, RESOURCE TO hr;
  1. Verify the connection
    Connect to the database with the created user to verify authentication works.
sqlplus hr/hr_password@orcl

Best Practices

  • Strengthen security with profile settings: set password lifetime and complexity.
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 90;
  • Enable login auditing: configure login auditing to detect unauthorized access.
AUDIT SESSION BY ACCESS;

2. What Is OS Authentication?

OS authentication uses the operating system’s user information when accessing the database. On the Oracle Database side, users who have already been authenticated by the OS are allowed to connect without a password. This is convenient for scripted automation and batch processing, and it also reduces password management overhead.

Role of OS_AUTHENT_PREFIX

When you use OS authentication, the OS_AUTHENT_PREFIX parameter is important for identifying OS users. By default, it is set to ops$, and Oracle Database authenticates by combining this prefix with the OS user name.

For example, if the Linux user name is test1, the database authenticates the user as ops$test1. You can change this prefix. Setting a prefix that aligns with your organization’s policies makes user management easier.

3. Setup Steps: OS Authentication on Linux

The following steps explain how to configure OS authentication on Linux. Here, we create test1 as the OS user and configure database access.

  1. Create the test1 user on Linux
    Create the test1 user on Linux for use with Oracle Database authentication.
# useradd -G dba,oper,backupdba,dgdba,kmdba test1
# passwd test1
  1. Create the OS-authenticated user in the database
    Using the default OS_AUTHENT_PREFIX (usually ops$), create the database user corresponding to test1.
CREATE USER "ops$test1" IDENTIFIED EXTERNALLY;
  1. Grant privileges
    Grant the privileges required for the OS-authenticated user to connect.
GRANT CONNECT, RESOURCE TO "ops$test1";
  1. Verify the connection
    Log in to Linux as test1 and verify that you can connect to Oracle Database using OS authentication.
su - test1
sqlplus / as sysdba  # If this command connects successfully, OS authentication is working correctly.

Command execution example

[root@orcl19c ~]# useradd -G dba,oper,backupdba,dgdba,kmdba test1  ★User created
[root@orcl19c ~]# passwd test1
Changing password for user test1.
New password:
BAD PASSWORD: The password is shorter than 7 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@orcl19c ~]# su - oracle
Last login: Fri Aug 29 20:42:08 EDT 2025 from 192.168.56.1 on pts/0
[oracle@orcl19c ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Aug 29 22:27:41 2025
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> CREATE USER "ops$test1" IDENTIFIED EXTERNALLY;

User created.

SQL> GRANT CONNECT, RESOURCE TO "ops$test1";

Grant succeeded.

SQL> exit
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
[oracle@orcl19c ~]$ su - test1
Password:
[test1@orcl19c ~]$ export ORACLE_SID=v19
[test1@orcl19c ~]$ export ORACLE_BASE=/u01/app/oracle
[test1@orcl19c ~]$ export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1
[test1@orcl19c ~]$ export PATH=$PATH:$ORACLE_HOME/bin
[test1@orcl19c ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Aug 29 22:29:15 2025
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> show user
USER is "SYS"  ★Connected

Customizing OS_AUTHENT_PREFIX

You can change OS_AUTHENT_PREFIX if necessary. For example, if you want to use different prefixes per organization or project, customize the setting as shown below. The database must be restarted.

ALTER SYSTEM SET OS_AUTHENT_PREFIX = 'custom$' SCOPE=SPFILE;

For example, if you set OS_AUTHENT_PREFIX to custom$, the database authenticates the user as custom$test1.

Command execution example

SQL> show parameter os_authent_prefix

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix                    string      ops$
SQL> alter system set os_authent_prefix='custom$' scope=spfile;

System altered.

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.

Total System Global Area 1543500144 bytes
Fixed Size                  8896880 bytes
Variable Size             905969664 bytes
Database Buffers          620756992 bytes
Redo Buffers                7876608 bytes
Database mounted.
Database opened.
SQL> show parameter os_authent_prefix

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix                    string      custom$  ★Changed

4. Selection Points Between Database and OS Authentication

ItemDatabase AuthenticationOS Authentication
Password managementRequiredNot required
Typical use casesPer-user management, stronger securityAutomation, scripts, batch processing
Use of OS_AUTHENT_PREFIXNot requiredRequired
Operational convenienceMediumHigh (when integrated with OS users)
Flexibility of security settingsProfiles and password policy configurableDepends on OS user management
  • When database authentication is recommended: environments that require per-user management or strict security
  • When OS authentication is recommended: environments that require automation for scripts and batch jobs

5. Troubleshooting and Security Best Practices

Common Errors and Remedies

  • ORA-01017: invalid username/password
    • Issue: OS authentication may not be enabled, or OS_AUTHENT_PREFIX may not match.
    • Remedy: Check that SQLNET.AUTHENTICATION_SERVICES = (NTS) is set in sqlnet.ora. Also verify that the OS_AUTHENT_PREFIX setting matches the user name in the database.
  • ORA-28000: the account is locked
    • Issue: Accounts may be locked after authentication failures.
    • Remedy: Unlock the account with: ALTER USER "ops$test1" ACCOUNT UNLOCK;
  • Insufficient privileges at connect time
    • Issue: The OS-authenticated user does not have sufficient privileges.
    • Remedy: Re-grant the required privileges: GRANT CONNECT, RESOURCE TO "ops$test1";

Security Best Practices

  • Restrict via OS user groups: Assign OS-authenticated users to specific groups to control access.
  • Enable auditing: Turn on Oracle auditing to record unauthorized connections and access.
  • Naming rules for OS_AUTHENT_PREFIX: Set a clear, policy-aligned prefix to avoid confusion among users.

6. Summary: Key Points for Choosing and Managing the Right Authentication Method

Each Oracle Database authentication method has different strengths. When using OS authentication, understand how to utilize OS_AUTHENT_PREFIX, and, together with security best practices, choose the method that best fits your business requirements.

[reference]
Oracle Database Security Guide, 19c

Complete Guide to Oracle CREATE USER: Explained with Diagrams
In Oracle Database, user management plays a crucial role in security, access control, and resource limitation.This artic...
oracle-master00000.com
2025.07.29

コメント

Copied title and URL