If you use a unix account for verification, you need to have the password working (and you need to pass the user and password from the perl script).
Not so... in fact, that's the point of "identified externally". "
With external authentication, your database relies on the underlying operating system or network authentication service to restrict access to database accounts. A database password is not used for this type of login."
reference
The system service accounts such as nobody don't have a working password and therefor are unusable, the normal user accounts have working passwords, but have access to loginto the system (as implied from the OP) and therefor would have access to both their user:pass and the systems user:pass database (indirectly).
That I'm not sure of - whether or not it would validate that 'nobody' was logged in and pass that through or not... worth a try though. But again, you are not passing the UNIX password - since the user is already logged in, it's using UNIX's authentication of the user itself.
Going back to the ssh example (and this ties into your second point) - the use of public/private challenge and response keys exhibit a way to verify login over a network without passing unencrypted sensitive data. But all of this needs to be tested and it depends on what type of UNIX the OP is using, as well as the type of Oracle.