Hi Roy, - Yes the web server is on a different machine - I think remote OS auth is allowed as when I login to the DB from another host using / it works fine. (obviously logged in as userA still) My DBA suggested I might have to use SSH in some way but I have not found any docs in setting up the authentication in this way... I would not want to prompt the user for a username/password each time the DB needs updating either.. It seems making the config file read only (by userA, the apache runtime user) or encrypting the DB password within the config file is the best option so far. But as the problem has already been solved by Oracle and UNIX I was hoping the solution would be at the O/S level (or at most exporting a few ORA vars so the apache runtime picks it up), rather than at the application software level. _____ From: roy.a.jones@xxxxxxx [mailto:roy.a.jones@xxxxxxx] Sent: 04 October 2004 15:48 To: Ben Gill Cc: php-db@xxxxxxxxxxxxx Subject: Re: PHP Oracle Authentication using UNIX user account A couple notes / assumptions .. (1) The web server is on a different machine then database (2) The DB is not allowing remote OS authentication and only local OS authentication If these are not true then some of my comments will be invalid (1) The above config will not work as the web-to-db conn is not authenticated locally (2) If remote OS auth is allow that is more of a security risk .. (can be mitigated) (3) If the php files are secured on the server that mitigates risk (4) Network traffic can be encrypted to prevent passwords being sent in plain text But if network is compromised all non-secure traffic is compromised (ftp/telnet/etc) My solution (1) No remote OS Auth (2) Trust network (3) I am only person that has access to web server (Web/DB/OS admin) (4) Use a 'generic' account for general web access that only has the following privs - CREATE SESSION - SELECT on tables needed (via ROLE or direct as required) (5) If a user needs to modify data allow a method for them to be prompted for username/password for database connection ================================================== If the web server & db server are the same box then local OS auth would be fine. I have not done this before since I like to separate my resources for High Avail reasons. I am now intrigued and will research it. Roy A. Jones _____ US Pharma Database Administration GlaxoSmithKline Inc. US Pharma IT, Shared Services _____ Email: roy.a.jones@xxxxxxx <mailto:roy.a.jones@xxxxxxx> _____ "Ben Gill" <Ben.Gill@xxxxxxxxxxxxxx> 04-Oct-2004 10:30 To php-db@xxxxxxxxxxxxx cc Subject PHP Oracle Authentication using UNIX user account Hi, My DBA's preferred authentication method is to set up a UNIX user account (i.e. userA) and let them login without using plaintext password authentication, ie. The user has to be logged in, they can then run (for example) sqlplus / and that will log them into the correct database. This is to prevent having to specify a username / password in a PHP script (or a config file that gets loaded). If the username / password is visible in the script, then someone can login and start making manual edits to the data using sql commands. To implement this, I have ensured my apache instance is running as 'userA' and I have tried all sorts of combinations of things username = "" password = "", username = "/" password = "", username="/" password ="/" etc.. to get this working (It works fine from the command line) but the OCILogon function requires a username and a password, so is not happy. One solution to this is that the DBA opens up the DB to plaintext authentication, I store the username / password in a config file with read only permissions (only for the owner, userA), and then only someone who knows userA's password can login and view this config file. But that does not fit in with the way my DBA wants me to authenticate. Has anyone got a solution for this? Regards
