Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: How Oracle stores password
If You select from SYS.LINK$ You will see the original users's password.
Only
SYS has the right to select this information. DBA_DB_LINKS, ALL_DB_LINKS
and USER_DB_LINKS do not display any password information. You should ensure
the access restrictions to this table or You should use the following
Statement:
.. from 8.0.5 Documentation SQL Reference
CREATE DATABASE LINK sales.hq.acme.com
CONNECT TO CURRENT_USER
USING 'sales';
IMP/EXP are able to save/restore the crypted password directly.
Kind Regards
Raimund
suvamoysen_at_my-dejanews.com schrieb in Nachricht
<7f085g$j8p$1_at_nnrp1.dejanews.com>...
>I was hoping if any of you Oracle Gurus could help me out on this:
>
>As far as I know Oracle stores passwords of users in digest form. As this
is
>a one way irreversible process, there is no way to extract the original
>password back from this digest. Oracle just computes this digest whenever
a
>user tries to logon to the database, and compares this with the stored
digest
>and allows logons only if the computed and stored digest match. This is
what
>I know (I may be wrong). My question is this : When a remote database is
>accessed via a database link, the local database creates a session on the
>remote database using the userid/password stored in the database link. This
>is fine when the database link connects as a fixed user, i.e the password
is
>also stored in the database link. However if the database link is of type
>connected user, then Oracle opens a session on the remote database with the
>same userid/password as that of the local user. This means Oracle is able
to
>compute the original password of the connected user from the digest stored
in
>its data dictionary, and if Oracle can do it, obviously others can do it
too.
> This seems to be some kind of a security hole in the database. Can any of
>you folks explain what is going on? Thanks in advance.
>
>Suvamoy Sen - Oracle DBA
>
>-----------== Posted via Deja News, The Discussion Network ==----------
>http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Received on Thu Apr 15 1999 - 02:03:16 CDT