Re: Client's access to Oracle's passwords

From: Roger Crowley <villagefox_at_my-deja.com>
Date: Wed, 01 Nov 2000 00:47:56 GMT
Message-ID: <8tnp7r$ota$1_at_nnrp1.deja.com>


Frank is correct. If I type my Oracle password on the O/S command line, it's still cleartext and can be seen by any O/S utility that displays commands (like "ps" on Unix). Even if I embed it in an executable C program on Unix, I can see it with the "strings" command. Once the client (assuming an Oracle client, like sqlplus or forms) packetizes it to be sent over sqlnet, it is encrypted (though weakly by encryption standards). Thus, you cannot use something like a network sniffer to catch it in cleartext on the server side. Of course, there are often lots of passwords in cleartext in the view, all_db_links (if you have encoded a login userid/password in the link). I don't know about sqltrace seeing it. There are books about Oracle security that discuss it in much more detail.

In article <39FDD0C4.F84B3475_at_home.nl>,   frank <fbortel_at_home.nl> wrote:
> Ever did plus33 scott/tiger_at_demo?
> The passwd is clear text! Any job listing (ps, mon, etc)
> would be able to grasp it.
>
> Waiting for the logon (plus33), or password prompt
> (plus33 scott) would not send it cleartext AFAIK, possibly
> encrypted (Kerberos or 2 others - see SQL*Net mnl).
>
> Frank
> BTW Never use Oracle for military, nuclear, medical
> or other mission critical system
> - standard Oracle disclaimer (!)
>
> gd_souza_at_hotmail.com wrote:
>
> > ---------------------------------------
> > Here is a question -
> >
> > 1. Client application connects to Oracle database via a SQL*Net
 call.
> >
> > 2. Can the user-ID and password passed on to the database by the
 client
> > by captured by any of utilities?
> >
> > I have heard that turning SQL tracing on would capture the password?
> > Is that true - if so, what parameter in which needs to be modified
 to
> > prevent the capture?
> >
> > All help will be most appreciated.
> >
> > - Grank
> > --------------------------------------
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
>

--
Have a good day!
Roger Crowley DBA
MedImpact Healthcare Systems, Inc.
San Diego CA


Sent via Deja.com http://www.deja.com/
Before you buy.
Received on Wed Nov 01 2000 - 01:47:56 CET

Original text of this message