| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Listener password encryption
I never said that setting a listener password was a bad idea, just
that there's no benefit to using an *encrypted* password. Here's a
quick illustration (valid thru 9iR2... I understand that 10g finally
changes this behaviour).
Say you've set your listener password to BILLBO, which produces a hash (as seen in listener.ora) of XXXXXXXX. You can now use either of the following commands at the lsnrctl prompt.
set password<ENTER>
BILLBO
or
set password XXXXXXXX
Now try running some commands which require you to have the password set... you'll quickly find out that both forms are 100% equivalent. In other words, you now have two passwords which need to be protected instead of just one. Hopefully you can see why I hold Oracle's encrypted listener password implementation in such low regard.
Note: I don't have access to an Oracle machine at the moment, so the above is (obviously) from memory. Feel free to try it out... no need to take my word for it.
On 2/16/06, Reidy, Ron <Ron.Reidy_at_arraybiopharma.com> wrote:
> I disagree completely on this. Setting the password can help to prevent
> a DNS attack on the listener. Of course, to know if the listener is
> being attacked, you should have logging turned on and some kind of
> process (swatch) watching the log file for invalid passwords (maybe a
> brute force attack).
>
> But hey, don't just take my word for it, read what Pete Finnigan says
> about it:
> http://www.google.com/custom?q=listener&sa=Google+Search&cof=S%3Ahttp%3A
> %2F%2Fwww.petefinnigan.com%3BGL%3A0%3BAH%3Aleft%3BLH%3A70%3BL%3Ahttp%3A%
> 2F%2Fwww.petefinnigan.com%2Fimages%2Fcompany_logo_1.gif%3BLW%3A736%3BAWF
> ID%3A4f683a6e994ed451%3B&domains=www.petefinnigan.com&sitesearch=www.pet
> efinnigan.com
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Greg Norris
> Sent: Thursday, February 16, 2006 12:03 PM
> To: oracle-l_at_freelists.org
> Subject: Re: Listener password encryption
>
>
> I wouldn't even bother using an encrypted password, unless of course
> this is being done to satisfy some (clueless) auditor's checklist.
> The way Oracle handles encrypted listener passwords, they're absolutely
> no more secure than the cleartext counterpart... in fact, one could
> easily argue that they're slightly *less* secure.
-- "I'm too sexy for my code." - Awk Sed Fred. -- http://www.freelists.org/webpage/oracle-lReceived on Fri Feb 17 2006 - 08:01:16 CST
 |
 |