I know how to use database links in various forms, but I've been trying to think through how the authentication works for a connected user link in 11g. If I create the link like this,
create public database link using 'orcl';
then any user can use the link, provided they have an identical username/password in the two databases. With pre-11g passwords, it was understandable: the password was salted with the username, so the hash of the password would be the same in both databases, and I assumed that the logon through the link used some sort of IDENTIFIED BY VALUES mechanism. But in 11g, the salt will different in the two databases. So the hash will be different. And of course Oracle never stores the actual password. So I don't see how the authentication works. Can anyone explain?
This doesn't have any practical value at the moment, but I would be grateful for any insight.
I believe the password is retained for the session, and that is the password that is used to make the connection. It is not dependent on retrieving the password or its hash from the dictionary. In fact, with situations like globally-identified users it would not be there anyway.
You could try a test like this:
ORA-01017: invalid username/password; logon denied
ORA-02063: preceding line from [remote database]