Re: Keeping Passwords Secure

From: <jl34778_at_corp02.d51.lilly.com>
Date: 14 Sep 94 19:35:34 EST
Message-ID: <1994Sep14.193534.1_at_corp02.d51.lilly.com>

In article <357gla$hn1_at_dcsun4.us.oracle.com>, rkrishna_at_us.oracle.com (Ramesh (cntr - rfisher) Krishnamurthy) writes:

> In article <3572rh$6o1_at_lorne.stir.ac.uk> sam_at_cs.stir.ac.uk writes:

>>I realise from the outset that my field of application is atypical, however:
>>
>>As of next week, I'll have 60-odd students using Oracle in my Department for
>>learning about databases. They'll all have assignments to do (almost all the
>>same) and it is therefore pretty vital that they can't look at each others'
>>work. However, SQL*Plus and other tools very much like to have users put
>>passwords on command lines in plain view, and if they're on command lines,
>>then, even if they haven't been seen from the screen, they can be seen from
>>a Unix `ps' display. Now I know I can exercise `persuasion' to try to prevent
>>students from entering a password in any other situation than in response to
>>a prompt from SQL*Plus, but there's sufficient temptation to do this that it
>>occurs to me to ask this group if anyone knows if there's anything concrete
>>I can do about it. The notion of having an Oracle application read a password
>>in previously-encrypted form from a file only readable by the user has occurred
>>to me, but I'm not about to rewrite SQL*Plus in a week. I know I can use
>>`identified externally' users, but that doesn't help in my multiple-HP9000/700
>>setup.
>>
>>So, any ideas... Please?
>>
>>--
>>SAm. -- (Insert bandwidth-wasting disclaimer here)

> 
>  Try setting up environment variables in each user's unix login accounts
> (I am assuming that each user has a different unix login id) i.e
> .profile or .cshrc .
> Try something like this
> setenv UID user1
> setenv PWD user1
> and in the scripts use sqlplus $UID/$PWD
> If all the users are using the same unix login userids , then write a small
> shell script in /etc/profile and prompt for UID and PWD and set the 
> environment variables only for that session. This way even the command 'ps'
> will return only $UID/$PWD  .  
> -- 
> Ramesh Krishnamurthy

I beg to differ. Under Solaris 2.3, if you issue the command sqlplus $UID/$PWD, the UID and PWD variables will be expanded, and you see the values when you do a ps -ef.

Have you thought about using OPS$ accounts? This would require that you have a separate unix ID for each user. I would assume that you have this, otherwise the students would be able to see each other's text files.

Verify that your OS_AUTHENT_PREFIX parameter is 'OPS$'. If not, use whatever it is, instead of OPS$. When you create a student's ORACLE account, have it match their unix account, but prefix it with ops$. For example, to create an oracle account for the fred unix id:

	create user ops$fred identified by flintstone
		default tablespace users_t01
		temporary tablespace temp_t01
		quota unlimited on users_t01;
	grant connect to ops$fred;

Now, when a student logs into unix and wants to get into ORACLE, he only has to use a /.

% sqlplus /

I'm not sure what you mean by your 'multiple hp/9000' setup. I hope that this is helpful

-- 
Bob Swisshelm                | swisshelm_at_Lilly.com     | 317 276 5472
Eli Lilly and Company        | Lilly Corporate Center  | Indianapolis, IN 46285

Received on Thu Sep 15 1994 - 02:35:34 CEST

This message: [ Message body ]
Next message: Doug Harris: "Re: Who is going to IOUW in San Francisco?"
Previous message: Ramesh: "Re: Keeping Passwords Secure"
Maybe in reply to: Michael Nolan: "Re: Keeping Passwords Secure"
In reply to Sam Nelson: "Keeping Passwords Secure"
Next in thread: Doug Harris: "Re: Who is going to IOUW in San Francisco?"
Reply: Sam Nelson: "Re: Keeping Passwords Secure"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message