Re: hide sqlplus pwd

From: Andre van Winssen <dreveewee_at_gmail.com>
Date: Sat, 31 Oct 2009 18:25:35 +0100
Message-ID: <9b46ac490910311025q5e97edc0oed6b8767c836947e_at_mail.gmail.com>



Eugene,
exposing your password on the commandline or in a readable password storage file is always a security risk and might lead to security compliancy issues. Have you considered following two options:

use NTS authentication for logging in as SYSDBA (e.g. by adding the os user used by the scheduler to run your scripts in the ORA_DBA group) and then run the sql scripts . You might wanna start with alter session set current_schema=<your db appl. login user> to change the namespace. remember that sysdba user has all privileges to change every database object

use an oracle wallet (Secure External Password Store) to store the credentials. Then <quote from oracle doc> when you configure a client to use the external password store, applications can use the following syntax to connect to databases that use password authentication:

CONNECT /_at_database_alias
Note that you need not specify database login credentials in this CONNECT statement. Instead your system looks for database login credentials in the client wallet. </quote from the oracle doc> I never tested this option with oracle8 clients though so can't promise it will work.

Andre

2009/10/31 Robert Freeman <robertgfreeman_at_yahoo.com>

> Actually, if you are running on WIN XP there is a command called
> tasklist.exe. This command, if run using the /v switch would show
> sqlplus.exe AND any username/password entered at the command line. Here is
> an example:
>
> C:\Documents and Settings\Robert>tasklist /v |find "Command Prompt"
> cmd.exe 10128 Console 0 2,672 K
> Running ROBERTSDELLXPS\Robert
> 0:00:00 Command Prompt - sqlplus sys/robert as sysdba
>
> Robert G. Freeman
> Oracle ACE
> Ask me about on-site Oracle Training! RMAN, DBA, Tuning, you name it!
> Author:
> Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY
> SOON!
> OCP: Oracle Database 11g Administrator Certified Professional Study Guide
> (Sybex)
> Oracle Database 11g New Features (Oracle Press)
> Oracle Database 10g New Features (Oracle Press)
> Other various titles
> Blog: http://robertgfreeman.blogspot.com
>
>
> ------------------------------
> *From:* Jared Still <jkstill_at_gmail.com>
> *To:* eugene.pipko_at_unionbay.com
> *Cc:* oracle-l List <oracle-l_at_freelists.org>
> *Sent:* Fri, October 30, 2009 6:49:41 PM
> *Subject:* Re: hide sqlplus pwd
>
>
> On Fri, Oct 30, 2009 at 3:22 PM, Eugene Pipko <eugene.pipko_at_unionbay.com>wrote:
>
>> We’re running Oracle 8,9,10 on Windows. Third party scheduler program
>> executes scripts against Oracle as:
>>
>> sqlplusw.exe user/pwd_at_db _at_c:\jobs\task1.sql
>>
>> What are the ways of hiding user/pwd from curious eyes?
>>
>>
>>
> Some clarification on what you are trying to hide might be useful.
>
> Are you trying to prevent the passwords from appearing in the scheduled
> scripts?
>
> Or the log files?
>
> Or something else?
>
> As this is windows, it doesn't really have the ps command available to show
> the password. Even if ps is available, I don't think it shows the
> password.
>
> IAC, more info is needed.
>
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> Oracle Blog: http://jkstill.blogspot.com
> Home Page: http://jaredstill.com
>
>

--
http://www.freelists.org/webpage/oracle-l
Received on Sat Oct 31 2009 - 12:25:35 CDT

Original text of this message