Return-Path: Received: from newsfeed.cts.com (newsfeed.cts.com [209.68.248.164]) by naude.co.za (8.11.2/8.11.2) with SMTP id g4NMUcl12134 for ; Thu, 23 May 2002 18:30:39 -0400 Received: from fatcity.UUCP (uucp@localhost) by newsfeed.cts.com (8.9.3/8.9.3) with UUCP id HAA91810; Thu, 23 May 2002 07:26:22 -0700 (PDT) Received: by fatcity.com (26-Feb-2001/v1.0g-b71/bab) via UUCP id 004691AD; Thu, 23 May 2002 06:23:27 -0800 Message-ID: Date: Thu, 23 May 2002 06:23:27 -0800 To: Multiple recipients of list ORACLE-L X-Comment: Oracle RDBMS Community Forum X-Sender: Richard Huntley Sender: root@fatcity.com Reply-To: ORACLE-L@fatcity.com Errors-To: ML-ERRORS@fatcity.com From: Richard Huntley Subject: RE: ORA_ENCRYPT_LOGIN Organization: Fat City Network Services, San Diego, California X-ListServer: v1.0g, build 71; ListGuru (c) 1996-2001 Bruce A. Bergman Precedence: bulk Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPartTM-000-a61ff025-6e4d-11d6-8b0a-00b0d04949c1" ------=_NextPartTM-000-a61ff025-6e4d-11d6-8b0a-00b0d04949c1 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2025B.BA9D0F90" ------_=_NextPart_001_01C2025B.BA9D0F90 Content-Type: text/plain; charset="iso-8859-1" Hmm...after trying to verify password being passed as plain text, I went back to do some research on metalink, and it looks like encryption of passwords is done by default in 8.1.5 (Net8) and higher. Only confusion now is whether I need to set ORA_ENCRYPT_LOGIN = TRUE only in sqlnet.ora on the client or also in the NT registry. Guess I'll go look through the docs on this and I'll send an update if I find a definitive answer. Thanks for the replies. -----Original Message----- Sent: Thursday, May 23, 2002 12:33 AM To: Multiple recipients of list ORACLE-L could not say about the net8, but in oracle 7 clients, if the initial login fails, the client will do the *next* login attempt using *plain text* as password !!! but if this param is set to TRUE, all the attempts are done using an encrypted password. set ORA_ENCRYPT_LOGIN = TRUE , in the correct ORACLE_HOME using regedit (if on windows) turn the tracing level to 16, try to connect and see the trace file, u wud see the userid in plain text but thepassword will be encrypted... > ---------- > From: MacGregor, Ian A.[SMTP:ian@SLAC.Stanford.EDU] > Reply To: ORACLE-L@fatcity.com > Sent: Thursday, May 23, 2002 2:52 AM > To: Multiple recipients of list ORACLE-L > Subject: RE: ORA_ENCRYPT_LOGIN > > If you want to be absolutely sure the password is being encrypted, you'll > need to place a sniffer on the network. Work with your network guys and > whoever else needs to be involved. In most company's using an > unauthorized sniffer will result in dismissal. > > Let me reinterate what I stated. SQL*NET encrypts passwords even if the > ORA_ENCRYPT_LOGIN parameter is not set to TRUE I wouldn't label it strong > encryption. If you really need that there is the Advanced Security > Option. > > I'm not 100% sure when the passwrod is sent in the clear. It is never > sent plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE. I > believe it will be sent in the clear if the Oracle server side of SQL*NET > is incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN is > set to false. ( I cannot , off the top of my head, remember if the > parameter takes YES/NO or TRUE/FALSE). > > The first thing I would do is ensure ORA_ENCRYPT_LOGIN is true for all > clients. > > Ian MacGregor > Stanford Linear Accelerator Center > ian@SLAC.Stanford.edu > > > > -----Original Message----- > From: Richard Huntley [mailto:rhuntley@mindleaders.com] > Sent: Wednesday, May 22, 2002 9:59 AM > To: Multiple recipients of list ORACLE-L > Subject: RE: ORA_ENCRYPT_LOGIN > > > That's exactly what I want to stop, passwords being sent in the > clear. However, I'm not able to verify it's working so far. I've turned > on tracing, as recommended in another reply on this topic, did a login > before enabling then after enabling this parameter and the differences are > very minor and I'm seeing nothing that specifically points > to this parameter being used other than output saying the parameter > is detected. How are you all having developers connect to the production > box via SQL*Plus client on developer workstations, so that the password is > not sent in the clear? > > -----Original Message----- > From: MacGregor, Ian A. [mailto:ian@SLAC.Stanford.EDU] > Sent: Tuesday, May 21, 2002 8:18 PM > To: Multiple recipients of list ORACLE-L > Subject: RE: ORA_ENCRYPT_LOGIN > > > Even without this parameter being set the password is encrypted. > What the parameter does is stop the password from being sent in the clear > if logging in with the encrypted password fails. I believe the > encryption is a 54-bit variant of DES. It is very rare that someone > improves DES by fiddling with it. It also always encrypts to the same > value and provides no protection against replay attacks. > > Ian MacGregor > Stanford Linear Accelerator Center > ian@SLAC.Stanford.edu > > -----Original Message----- > From: Richard Huntley [mailto:rhuntley@mindleaders.com] > Sent: Tuesday, May 21, 2002 9:34 AM > To: Multiple recipients of list ORACLE-L > Subject: ORA_ENCRYPT_LOGIN > > > Anyone using this and if so, do you know of a way to verify > that the password is actually being encrypted? > > Thanks. > > -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rahul INET: rahul@ratelindo.co.id Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). ------_=_NextPart_001_01C2025B.BA9D0F90 Content-Type: text/html; charset="iso-8859-1" RE: ORA_ENCRYPT_LOGIN

Hmm...after trying to verify password being passed as plain text, I went back to
do some research on metalink, and it looks like encryption of passwords is done
by default in 8.1.5 (Net8) and higher.  Only confusion now is whether I need to
set ORA_ENCRYPT_LOGIN = TRUE only in sqlnet.ora on the client or also in the
NT registry.  Guess I'll go look through the docs on this and I'll send an update
if I find a definitive answer.  Thanks for the replies.

-----Original Message-----
From: Rahul [mailto:rahul@ratelindo.co.id]
Sent: Thursday, May 23, 2002 12:33 AM
To: Multiple recipients of list ORACLE-L
Subject: RE: ORA_ENCRYPT_LOGIN


could not say about the net8, but in oracle 7 clients, if the initial login
fails, the client will do the *next*
login attempt  using  *plain text* as password !!! but if this param is set
to TRUE, all the attempts are
done using an encrypted password.

set ORA_ENCRYPT_LOGIN = TRUE , in the correct ORACLE_HOME using regedit (if
on windows)
turn the tracing level to 16, try to connect and see the trace file, u wud
see the userid in plain text but thepassword will be
encrypted...


> ----------
> From:         MacGregor, Ian A.[SMTP:ian@SLAC.Stanford.EDU]
> Reply To:     ORACLE-L@fatcity.com
> Sent:         Thursday, May 23, 2002 2:52 AM
> To:   Multiple recipients of list ORACLE-L
> Subject:      RE: ORA_ENCRYPT_LOGIN
>
> If you want to be absolutely sure the password is being encrypted, you'll
> need to place a sniffer on the network.  Work with your network guys and
> whoever else needs to be involved.   In most company's  using an
> unauthorized sniffer will  result in dismissal.

> Let me reinterate what I stated.  SQL*NET encrypts passwords even if the
> ORA_ENCRYPT_LOGIN parameter is not set to TRUE  I wouldn't label it strong
> encryption.  If you really need that there is the Advanced Security
> Option. 

>  I'm not 100% sure when the passwrod is sent in the clear.   It is never
> sent  plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE.  I
> believe it will be sent in the clear if the Oracle server side of SQL*NET
> is incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN  is
> set to false. ( I cannot , off the top of my head, remember if the
> parameter takes YES/NO or TRUE/FALSE).

> The first thing I would do is ensure ORA_ENCRYPT_LOGIN  is true for all
> clients.

> Ian MacGregor
> Stanford Linear Accelerator Center
> ian@SLAC.Stanford.edu


>
>       -----Original Message-----
>       From: Richard Huntley [mailto:rhuntley@mindleaders.com]
>       Sent: Wednesday, May 22, 2002 9:59 AM
>       To: Multiple recipients of list ORACLE-L
>       Subject: RE: ORA_ENCRYPT_LOGIN
>
>
>       That's exactly what I want to stop, passwords being sent in the
> clear.  However, I'm not able to verify it's working so far. I've turned
> on tracing, as recommended in another reply on this topic, did a login
> before enabling then after enabling this parameter and the differences are
> very minor and I'm seeing nothing that specifically points
>       to this parameter being used other than output saying the parameter
> is detected.  How are you all having developers connect to the production
> box via SQL*Plus client on developer workstations, so that the password is
> not sent in the clear?
>       
>       -----Original Message-----
>       From: MacGregor, Ian A. [mailto:ian@SLAC.Stanford.EDU]
>       Sent: Tuesday, May 21, 2002 8:18 PM
>       To: Multiple recipients of list ORACLE-L
>       Subject: RE: ORA_ENCRYPT_LOGIN
>
>
>       Even without this parameter being set the password is encrypted.
> What the parameter does is stop the password from being sent in the clear
> if logging in with the encrypted password fails.   I believe the
> encryption is a 54-bit  variant of DES.  It is very rare that  someone
> improves DES by fiddling with it.  It also always encrypts to the same
> value and provides no protection against replay attacks.
>       
>       Ian MacGregor
>       Stanford Linear Accelerator Center
>       ian@SLAC.Stanford.edu
>
>               -----Original Message-----
>               From: Richard Huntley [mailto:rhuntley@mindleaders.com]
>               Sent: Tuesday, May 21, 2002 9:34 AM
>               To: Multiple recipients of list ORACLE-L
>               Subject: ORA_ENCRYPT_LOGIN
>
>
>               Anyone using this and if so, do you know of a way to verify
> that the password is actually being encrypted?
>               
>               Thanks.
>
>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Rahul
  INET: rahul@ratelindo.co.id

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

------_=_NextPart_001_01C2025B.BA9D0F90-- ------=_NextPartTM-000-a61ff025-6e4d-11d6-8b0a-00b0d04949c1-- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Richard Huntley INET: rhuntley@mindleaders.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).