| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Restricting access via sqlplus
Hi Jacques,
It sounds like the encrypted password is read by the client? and decrypted on the client? or in the database as a package procedure?. If it was decrypted in the client and then the set role command was sent to the database the password could be read from the network with a tool such as snoop on Unix or using SQL*Net support level trace as that shows packet contents in the SQL trace. The latter could be setup by a user on his PC attempt a logon to the database and then read the password from the trace file.
If the decryption and set role were to be done in a package and the password is not passed over the network then its better. You could also encrypt the network traffic of course. But as you say there is still a risk from someone discovering the encryption scheme.
thanks for sharing your solution
kind regards
Pete
--
Pete Finnigan
email:[EMAIL PROTECTED]
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Pete Finnigan
INET: [EMAIL PROTECTED]
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Jul 10 2003 - 06:46:11 CDT
 |
 |