| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Listener password encryption
Ah yes the wonderful encrypted password. The hashed string is stored in the listener.ora file, so if you forget the listener password you can simply copy and paste the hashed string that was generated, back into the set password prompt to get in. So now you must not only protect the password but also the listner.ora files must now not fall in the evil ones hands! Why couldn't it be written to a binary password file like the DB has? We had to implement it, as the previous poster said, to satisfy the auditors. I won't start a rant on the subject, suffice to say they usually simply glance over the software security guides without understanding the underlying concepts and pitfalls!
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Greg Norris
Sent: 16 Feb 2006 19:03
To: oracle-l_at_freelists.org
Subject: Re: Listener password encryption
I wouldn't even bother using an encrypted password, unless of course this is being done to satisfy some (clueless) auditor's checklist. The way Oracle handles encrypted listener passwords, they're absolutely no more secure than the cleartext counterpart... in fact, one could easily argue that they're slightly *less* secure.
On 2/16/06, J. Dex <cemail_219_at_hotmail.com> wrote:
> I am trying to save an encrypted password for the listener and
> although it responds that the command was completed successsfully, it
> isn't turning on security and doesn't seem to be working. Any ideas?
> This is Oracle 9207 on a Windows 2003 server. This is what I am
> doing:
>
> LSNRCTL>set save_config_on_stop on
> LSNRCTL>set password password_name
>
> My understanding is that security in "status" should be set to on and
> I should see some comments at the bottom of the listener file, but I
> am not seeing those.
-- "I'm too sexy for my code." - Awk Sed Fred. -- http://www.freelists.org/webpage/oracle-l **************************************************************************** This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. **************************************************************************** -- http://www.freelists.org/webpage/oracle-lReceived on Fri Feb 17 2006 - 03:34:02 CST
 |
 |