Re: SQL*net and secuity

From the Oracle7 Server Administrator's Guide under the section Establishing Security Policies:

   Whenever you attempt to connect to a server using a password, Oracle encrypts the password before sending it to the server. If the connection fails and auditing is enabled, the failure is noted in the audit log. Oracle then checks the appropriate DBLINK_ENCRYPT_LOGIN or ORA_ENCRYPT_LOGIN value. If it set to FALSE, Oracle attempts the conection again using an unencrypted version of the password. If the connection is successful, the connection replaces the previous

   failure in the audit log, and the connection proceeds. To prevent malicious users from forcing Oracle to re-attempt a connection with an unencrypted version of the password, you must set the appropriate values to TRUE.

So you should set the ORA_ENCRYPT_LOGIN to true in the registry or the oracle.ini file depending on 16- or 32-bit SQL*Net.

Also, in the past, when using SecurID, we were unable to set ORA_ENCRYPT_LOGIN to true and have authentication succeed. Encrypting the username and passcode seemed to conflict with SecurID and so the database would only accept logins when the username and passcode were sent in cleartext.

I have since received a newer version of the Advanced Networking Option but have not tried it recently.

Dean

Brian Cameron wrote:
>
> Hi,
>
> We are looking at implementing sql*net access to some of our
> administrative systems and I have heard varying comments about
> SQL*Net and secuirty issues. eg
>
> "user names and password are passed over a network as clear text and is
> able to be accessed by a network sniffer"
>
> I would like to throw open discussion on SQL*Net and secuity to gater
> information.
>
> Any feedback or pointers to related information would be appreciated.
>
> TIA
>
> Brian
>
> bcamero5_at_metz.une.edu.au
Received on Tue Nov 03 1998 - 14:18:17 CST