cleartext password transmission

Anybody know under what circumstances a client will send a password in cleartext when connecting? According to the Admin Guide, it'll happen "if the connection fails" and if ORA_ENCRYPT_LOGIN is set to FALSE.

I've been playing with a 9.2 client and server, also an 8.1 client and server, and I always see the same behavior under SQL*Net trace level 16 regardless of the ORA_ENCRYPT_LOGIN setting (TRUE, unset, FALSE). The password always appears to be encrypted. I'm not sure what kind of "connection failure" would trigger the cleartext transmission. At first I thought a wrong password would do it, but it doesn't seem to.

Perhaps it only happens when connecting to an older version of Oracle, one from before password encryption was implemented? Can anybody get an Oracle client to send the password in the clear? I only have version 8 and 9 software at hand and I can't do it. I think I saw a previous article state that password encryption was first implemented in 7.1.6.

I still see ORA_ENCRYPT_LOGIN in the 9.2 libclntsh.so, so I think there still must be a need to set it. I'd like to be able to test the effect of the parameter, to make sure that Oracle is picking it up, and I'm a little bit wary because it doesn't seem to have any effect. The variable's definitely set, I checked the sqlplus process environment via /proc.

I'm also wondering about the Thin JDBC client, which seems to eschew the use of the usual environment variables. Does it also have the potential for cleartext password transmission and are there Java properties or the like that must be set to prevent that?

Thanks,
Matthew Received on Sat Feb 22 2003 - 16:58:48 CST