From oracle-l-bounce@freelists.org Sun Aug 8 02:21:40 2004 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id i787Le905764 for ; Sun, 8 Aug 2004 02:21:40 -0500 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id i787LeI05759 for ; Sun, 8 Aug 2004 02:21:40 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 91AB172C115; Sun, 8 Aug 2004 02:12:15 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14586-84; Sun, 8 Aug 2004 02:12:15 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id C481A72C0E6; Sun, 8 Aug 2004 02:12:14 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Sun, 08 Aug 2004 02:10:32 -0500 (EST) X-Original-To: oracle-l@freelists.org Delivered-To: oracle-l@freelists.org Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 7361472C164 for ; Sun, 8 Aug 2004 02:10:32 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14586-51 for ; Sun, 8 Aug 2004 02:10:32 -0500 (EST) Received: from anchor-post-32.mail.demon.net (anchor-post-32.mail.demon.net [194.217.242.90]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id EA19F72C10E for ; Sun, 8 Aug 2004 02:10:31 -0500 (EST) Received: from peterfinnigan.demon.co.uk ([212.228.17.70]) by anchor-post-32.mail.demon.net with esmtp (Exim 3.35 #1) id 1Bti3l-000FUQ-0W for oracle-l@freelists.org; Sun, 08 Aug 2004 07:25:37 +0000 Message-ID: Date: Sat, 7 Aug 2004 21:57:11 +0100 To: oracle-l@freelists.org From: Pete Finnigan Subject: Re: Oracle client security References: <26E3EC48949D134C94A1574B2C89466113A9E1@exchange2.slac.stanford.edu> In-Reply-To: MIME-Version: 1.0 X-Mailer: Turnpike Integrated Version 5.01 S X-Virus-Scanned: by amavisd-new at freelists.org X-archive-position: 7161 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: oracle_list@peterfinnigan.demon.co.uk Precedence: normal Reply-To: oracle-l@freelists.org X-list: oracle-l X-Virus-Scanned: by amavisd-new at freelists.org > >True, though I did pull that from the 9.2.0 docs. It is apparently >a documentation bug, as 9i supposedly always encrypts passwords >and never sends them in the clear. Haven't tested it though. > >Jared Hi Jared, The parameters are supposedly not used or rather ignored from 9iR2 (It could be 9iR1 as I have heard this for both versions) as all retries are encrypted by default. I tested this over a year ago when discussing it with Don Granaman who was involved in the CIS Oracle benchmark. We could not find a way to get a second try in clear text on 9i. This "functionality" the second try in clear text was added to allow connection to older databases that didn't support the encrypted password exchange (7.1 and down i believe). Rich, The way to secure the client then seems to be to ensure at least 9iR1 or 9iR2 clients are used. Kind regards Pete -- Pete Finnigan email:pete@petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------