Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle client security

RE: Oracle client security

From: Jesse, Rich <Rich.Jesse_at_quadtechworld.com>
Date: Fri, 6 Aug 2004 16:05:15 -0500
Message-ID: <FBE1FCA40ECAD41180400050DA2BC54004E93C27@qtiexch2.qgraph.com> 





How in the world did you find this?  Even after I see the answer, what =
did you search on to find it?



I'm also wondering exactly how this is pulled off.  I know a user can be =
locked out of the registry.  But if the user fires up a DOS window, sets =
the ORA_ENCRYPT_LOGIN environment variable to FALSE, and fires up some =
client program from that DOS window, does that client program's Oracle =
connection (assuming it's a self-standing 32-bit) revert to the =
ORA_ENCRYPT_LOGIN env var as it sits in the registry or as it was =
redefined in the DOS window?  For that matter, can a user even set an =
env var if they are locked out of the registry?  I'm not sure how this =
mechanism works (or was designed to work) in Winders.



Not that it particularly matters for us, as this particular client was =
Unix and user's are locked out from shell access (and ftp, ssh, etc. to =
be able to override their own .profile/.login/.bash_profile/etc), but =
I'm curious.



Thx, Jared!


Rich



-----Original Message-----


Sent: Friday, August 06, 2004 3:40 PM


Subject: Re: Oracle client security




> More than a year ago, we had problems with a Perl::DBI program=20

> connecting to the Oracle DB using the WE8ISO8859P1 charset.  It=20

> always failed the first time and secretly and automagically=20

> attempted and succeeded the connection a second time.  I was able to

> verify this by using AUDIT in the DB, while running the program.

>=20

>From the fine manual:




By setting the following values, you can require that the password used =
to=20


verify a connection always be encrypted:=20
Set the ORA_ENCRYPT_LOGIN environment variable to TRUE on the client=20
machine.=20


Set the DBLINK_ENCRYPT_LOGIN server initialization parameter to TRUE.=20
If enabled at both the client and server, passwords will not be sent=20
across the network "in the clear", but will be encrypted using a =
modified=20


DES (Data Encryption Standard) algorithm.=20
The DBLINK_ENCRYPT_LOGIN initialization parameter is used for =
connections=20


between two Oracle servers (for example, when performing distributed=20
queries). If you are connecting from a client, Oracle checks the=20
ORA_ENCRYPT_LOGIN environment variable.=20
Whenever you attempt to connect to a server using a password, Oracle=20
encrypts the password before sending it to the server. If the connection =



fails and auditing is enabled, the failure is noted in the audit log.=20
Oracle then checks the appropriate DBLINK_ENCRYPT_LOGIN or=20
ORA_ENCRYPT_LOGIN value. If it set to FALSE, Oracle attempts the=20
connection again using an unencrypted version of the password. If the=20
connection is successful, the connection replaces the previous failure =
in=20


the audit log, and the connection proceeds. To prevent malicious users=20
from forcing Oracle to re-attempt a connection with an unencrypted =
version=20


of the password, you must set the appropriate values to TRUE.=20




Please see the official ORACLE-L FAQ: http://www.orafaq.com




To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.

--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------


Received on Fri Aug 06 2004 - 16:01:02 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US