HPE Community
Operating System - HP-UX
1752511 Members
5138 Online
108788 Solutions
New Discussion юеВ

Hiding Passwords for Oracle

 
oradba
Occasional Contributor

тАО01-31-2003 09:24 AM

тАО01-31-2003 09:24 AM

Hiding Passwords for Oracle

Does anybody knows how to hide passwords when executing SQLPLUS ?
0 Kudos
Reply
16 REPLIES 16
John Palmer
Honored Contributor

тАО01-31-2003 09:29 AM

тАО01-31-2003 09:29 AM

Re: Hiding Passwords for Oracle

Hi,

If you mean hiding them from appearing in a ps listing because they've been supplied as arguments to sqlplus then instead of running:

sqlplus /

In an interactive session, run:
sqlplus
/
...

In a script run:
sqlplus << EOD
/
...
EOD

Regards,
John
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-31-2003 01:51 PM

тАО01-31-2003 01:51 PM

Re: Hiding Passwords for Oracle

Prior post shows you how to script sqlplus, that kind of code is available all over the net.

What you can do is create a deep, dark password vault for oracle.

A fs where only the oracle script user can access. Then you can store passwords there and read them into your script.

When the oracle password changes, you'll have to update the files.

You'll also want to encrypt the files, so that if someone gains root access they can't get those passwords, though if they get root access you're pretty much screwed anyway.

P
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
CCIL
Frequent Advisor

тАО02-01-2003 07:29 AM

тАО02-01-2003 07:29 AM

Re: Hiding Passwords for Oracle

HI1

yous should have the oracle client (8i) , the file tnsnames.ora file should have the entry of entry of Oracle databse listner . then you can issue sqlplus with connect strings i.e name of database & user name , then it will ask for password which can not be seen.

Amit Vichare
0 Kudos
Reply
CCIL
Frequent Advisor

тАО02-01-2003 09:45 AM

тАО02-01-2003 09:45 AM

Re: Hiding Passwords for Oracle

the exact syntax is

sqlplus username@connect_string
it will ask for password which will not be displayed

Amit Vichare
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

тАО02-03-2003 03:12 AM

тАО02-03-2003 03:12 AM

Re: Hiding Passwords for Oracle

hello,

Well, my favorite solution to this is to use an "identified externally" account.
For example, I've set:


NAME TYPE VALUE
------------------------------ ------- --------------------
os_authent_prefix string ops$

in my init.ora. I then:

create user ops$yd identified externally;

This lets me:

$ id
uid=12997(yd) gid=1(other)

$ sqlplus /
SQL*Plus: Release 8.1.5.0.0 - Production on Fri Mar 10 19:28:46 2000
(c) Copyright 1999 Oracle Corporation. All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production
With the Partitioning and Java options
PL/SQL Release 8.1.5.0.0 - Production

ops$yd@8i> show user
USER is "OPS$YD"
ops$yd@8i>


I do not need a username password anymore (i can still use them but I can always
use / to log in as my). This is perfect for cron jobs, at jobs and the like.
You have to be logged into unix to become that account.

Hope this helps!

Best Regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

тАО02-03-2003 03:16 AM

тАО02-03-2003 03:16 AM

Re: Hiding Passwords for Oracle

hi again,

Another way, when on korn shell you can issue

print PASS | oracletool

where 'oracletool' is most of the common oracle ones - exp, imp, sqlplus etc



for example:

print my_pass | exp userid=system file=...

or

print my_pass | sqlplus system @my_script

Or for my lengthy scripts

print "
connect user/pass
select ...
exit" | sqlplus /nolog


Hope this helps too!

Cheers
Yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Ravi_8
Honored Contributor

тАО02-03-2003 03:21 AM

тАО02-03-2003 03:21 AM

Re: Hiding Passwords for Oracle

Hi,

oracle> sqlplus username@instance_name
password:

passwd wouldn't be echoed
never give up
0 Kudos
Reply
Chuck Higgins
Occasional Advisor

тАО02-03-2003 03:17 PM

тАО02-03-2003 03:17 PM

Re: Hiding Passwords for Oracle

I like your answer Yogeeraj, the one about using ops$.

I have been puzzled by this same question before and have never had a solution that I felt offered good security. My need for this has always been to automate a process with a script, which means that somewhere you need to get a clear text password because there will be no user around to type in the password.

I have considered using a encrypted file, but that means that you need to identify the file name and the encryption key in clear text and it is just one more step to get the password.

I think it makes a lot of sense to get the permissions from the user that is running the script so no password is required. If I was the author of the question, I would give you some points!

Only one problem, which is that the answer is Oracle specific. Maybe there is a similar solution for other DBs such as Solid?

Cheers,

Chuck
0 Kudos
Reply
Philippe Cussigh
Advisor

тАО02-04-2003 06:02 AM

тАО02-04-2003 06:02 AM

Re: Hiding Passwords for Oracle

Hello,

Just a small comment about the "externally" identified user.
It is a great solution I do appreciate.
The issue is that if you create the OPS$xyz user, any user can create a xyz user on his own system, connect as xyz, then access the database with the connect / sequence.

Oracle can limit the "admin" rigts you can get remotely but the security failure is quite important. Anyway if you have only a limited number of "Oracle client", for instance with application serevers, you can easily restrict in the protocol.ora file the list of TCP/IP addresses which can access the system.

Philippe
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.