Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How Oracle stores password

Re: How Oracle stores password

From: Raimund Paul Kelterer <rkelterer_at_grips.com>
Date: Thu, 15 Apr 1999 09:03:16 +0200
Message-ID: <924159632.999496@proxy.styria.com> 





If You select from SYS.LINK$ You will see the original users's password.
Only


SYS has the right to select this information. DBA_DB_LINKS, ALL_DB_LINKS
and USER_DB_LINKS do not display any password information. You should ensure
the access restrictions to this table or You should use the following
Statement:



.. from 8.0.5 Documentation SQL Reference



CREATE DATABASE LINK sales.hq.acme.com


CONNECT TO CURRENT_USER



USING 'sales';




IMP/EXP are able to save/restore the crypted password directly.



Kind Regards


Raimund



suvamoysen_at_my-dejanews.com schrieb in Nachricht
<7f085g$j8p$1_at_nnrp1.dejanews.com>...


>I was hoping if any of you Oracle Gurus could help me out on this:


>


>As far as I know Oracle stores passwords of users in digest form.  As this


is


>a one way irreversible process, there is no way to extract the original


>password back from this digest.  Oracle just computes this digest  whenever


a


>user tries to logon to the database, and compares this with the stored


digest


>and allows logons only if the computed and stored digest match.  This is


what


>I know (I may be wrong). My question is this : When a remote database is


>accessed via a database link, the local database creates a session on the


>remote database using the userid/password stored in the database link. This


>is fine when the database link connects as a fixed user, i.e the password


is


>also stored in the database link.  However if the database link is of type


>connected user, then Oracle opens a session on the remote database with the


>same userid/password as that of the local user.  This means Oracle is able


to


>compute the original password of the connected user from the digest stored


in


>its data dictionary, and if Oracle can do it, obviously others can do it


too.


> This seems to be some kind of a security hole in the database. Can any of


>you folks explain what is going on? Thanks in advance.


>


>Suvamoy Sen - Oracle DBA


>


>-----------== Posted via Deja News, The Discussion Network ==----------


>http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own




Received on Thu Apr 15 1999 - 02:03:16 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US