Re: safe way to store passwords in unix OS

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Thu, 15 Dec 2011 18:31:59 +0000
Message-ID: <4EEA3D1F.6000300_at_petefinnigan.com>



The OPR is also an option by the Spit brothers; opr.sourceforge.net. The issue with both of these approaches is that if you use an autoopen wallet then anyone who has access to the OS account can connect to the database using Oracle's solution or the OPR one.

A good approach is to use a logon trigger to check where/when/what the connection is; also use a secure application role and only enable the role if the connection is the job that should run. Also look at disbaling the shell for the OS account if you can

cheers

Pete

Tim Hall wrote:

> Hi.
> 
> Secure External Password Store sounds like the safest bet.
> 
> http://www.oracle-base.com/articles/10g/SecureExternalPasswordStore_10gR2.php
> 
> Cheers
> 
> Tim...
> 
> On Thu, Dec 15, 2011 at 5:30 PM, Dba DBA <oracledbaquestions_at_gmail.com> wrote:

>> This is not exactly an Oracle question, but I am asking it here in case
>> someone has solved this. We have alot of jobs that log into our Oracle
>> databases. Some of them use ops$oracle accounts. In the future we are not
>> allowed to use ops$oracle and need to provide passwords. I am trying to
>> find a method, or program/script that allows us to do the following.
>> 1. store oracle passwords in unix in a lock box
>> 2. only given processes and users can access specific passwords
>> 3. program/process/script has customizable logic that only lets specific
>> jobs access the password.
>> 4. We are mainly using Cron for our jobs, but may be using some other job
>> schedulers in the future that have more features.
>> 5. you cannot access the passwords from a user account
>>
>>
>> basically you give the password to the script/program, etc and tell it
>> which jobs/users can retrieve it. Those jobs call the script/program and
>> the program can accurately decide which job gets which password.
>>
>> This is about all the requirements I have on this. Sorry if this is kind of
>> vague.
>>
>>
>> --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
> --
> http://www.freelists.org/webpage/oracle-l
> 
> 
> 

-- 

Pete Finnigan
CEO and Founder
PeteFinnigan.com Limited

Specialists in database security.

Makers of PFCLScan the database security auditing tool.
Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL

If you need help to audit or secure an Oracle database, please ask for
details of our training courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7759 277220
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940668114

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Dec 15 2011 - 12:31:59 CST

Original text of this message