- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Hiding Passwords for Oracle
Operating System - HP-UX
1753494
Members
4830
Online
108794
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2003 12:03 PM
тАО02-04-2003 12:03 PM
Re: Hiding Passwords for Oracle
Seems that there are always loopholes to security. It is good to know about the users coming in over the network, thanks for the advice. I was so far just considering the local machine, which is a bit near-sited.
It would be nice if you could lock that feature down to just the local server while still allowing full user/passwd logins from the network. Without that, for database servers that expect many network connections, it would probably be better to lock down the server and hide the clear text passwords in a file as suggested before. At least you know that somebody has to get a login to your server first.
Chuck
It would be nice if you could lock that feature down to just the local server while still allowing full user/passwd logins from the network. Without that, for database servers that expect many network connections, it would probably be better to lock down the server and hide the clear text passwords in a file as suggested before. At least you know that somebody has to get a login to your server first.
Chuck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2003 02:06 PM
тАО02-04-2003 02:06 PM
Re: Hiding Passwords for Oracle
Chuck,
there is hope ! (but not much :-)
init.ora parameter "remote_os_authent" (or likewise)
and the mentioned protocol.ora containing something like tcp.invited_nodes (or likewise).
I'd recommend to check the online docu CD on this, as I am not sure about the correct syntax, and I have no access to the docs now.
Keep in mind, that a PC as an "invited_node" may be down through certain hours, giving anyone the possibility to fake it's IP and become an "invited_node".
But this is a good option to ensure that only an application server can connect to the database and no other client.
The security implications with OPS$ are pretty good documented anywhere on the net. You may make it more difficult, but not impossible, beside you do not need network access.
On a local_only database, you might disable tcp-connect on the listener and switch to IPC or BEQ.
Hope this helps
Volker
PS: NEVER grant "dba" to an OPS$ - User !
I have seen people in SAP environment doing this just to make DB13 work !!! NEVER !!!
there is hope ! (but not much :-)
init.ora parameter "remote_os_authent" (or likewise)
and the mentioned protocol.ora containing something like tcp.invited_nodes (or likewise).
I'd recommend to check the online docu CD on this, as I am not sure about the correct syntax, and I have no access to the docs now.
Keep in mind, that a PC as an "invited_node" may be down through certain hours, giving anyone the possibility to fake it's IP and become an "invited_node".
But this is a good option to ensure that only an application server can connect to the database and no other client.
The security implications with OPS$ are pretty good documented anywhere on the net. You may make it more difficult, but not impossible, beside you do not need network access.
On a local_only database, you might disable tcp-connect on the listener and switch to IPC or BEQ.
Hope this helps
Volker
PS: NEVER grant "dba" to an OPS$ - User !
I have seen people in SAP environment doing this just to make DB13 work !!! NEVER !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-05-2003 01:11 AM
тАО02-05-2003 01:11 AM
Re: Hiding Passwords for Oracle
hi all,
A few clarifications!
OS Authentication lets me log in like this:
$ sqlplus /
SQL*Plus: Release 8.1.6.0.0 - Production on Sun Apr 1 17:34:47 2001
(c) Copyright 1999 Oracle Corporation. All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.6.2.0 - Production
With the Partitioning option
JServer Release 8.1.6.2.0 - Production
ops$yd@ORA8I.WORLD>
The database pickes up my identity from the OS. It works well on a single machine but not over a network. Over a network it can be very insecure as the machines just "trust" eachother. All I would need to do is put a machine in your network, create a user account in the OS named after some database account and I would be in. Never set remote_os_authent=true for this reason.
On NT it is more secure then on Unix with domains and such.
I use the OS identified accounts for all of my cron jobs -- that way I do not have a username/password stored in a script anywhere. Thats the strength of it.
I use ops$ accounts on all of my database machines for all admin accounts -- to avoid having passwords scattered about in a million scripts.
It is true if you use OS authenticated users over a network in a Unix environment (forcing you to set "remote_os_authent=true") that is a security hole.
The highest level of security you can have is using OS authenticated accounts on a host based system (no network).
It is ONLY true that there are problems if you set the init.ora parameter remote_os_authent=true -- which is something you should do only in an environment where you control ALL of the machines on the entire network.
Using OS authenticated accounts is safe, much much safer then what they propose.
As an example, just have to write their own script to do a "ps >> mylog.txt" using cron or just write a script:
while(1)
ps >> mylog.txt
sleep 20
end
leave that running and go home. Then use grep later to mine the data.
Conclusion:
============
USE OS AUTHENTICATED ACCOUNTS. They are 100% secure (more secure then even identifiedy by accounts. Do NOT use them over the network in Unix as they are based on "trust" (just like the r* commands rsh, rexec)
Hope this helps!
Best Regards
Yogeeraj
A few clarifications!
OS Authentication lets me log in like this:
$ sqlplus /
SQL*Plus: Release 8.1.6.0.0 - Production on Sun Apr 1 17:34:47 2001
(c) Copyright 1999 Oracle Corporation. All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.6.2.0 - Production
With the Partitioning option
JServer Release 8.1.6.2.0 - Production
ops$yd@ORA8I.WORLD>
The database pickes up my identity from the OS. It works well on a single machine but not over a network. Over a network it can be very insecure as the machines just "trust" eachother. All I would need to do is put a machine in your network, create a user account in the OS named after some database account and I would be in. Never set remote_os_authent=true for this reason.
On NT it is more secure then on Unix with domains and such.
I use the OS identified accounts for all of my cron jobs -- that way I do not have a username/password stored in a script anywhere. Thats the strength of it.
I use ops$ accounts on all of my database machines for all admin accounts -- to avoid having passwords scattered about in a million scripts.
It is true if you use OS authenticated users over a network in a Unix environment (forcing you to set "remote_os_authent=true") that is a security hole.
The highest level of security you can have is using OS authenticated accounts on a host based system (no network).
It is ONLY true that there are problems if you set the init.ora parameter remote_os_authent=true -- which is something you should do only in an environment where you control ALL of the machines on the entire network.
Using OS authenticated accounts is safe, much much safer then what they propose.
As an example, just have to write their own script to do a "ps >> mylog.txt" using cron or just write a script:
while(1)
ps >> mylog.txt
sleep 20
end
leave that running and go home. Then use grep later to mine the data.
Conclusion:
============
USE OS AUTHENTICATED ACCOUNTS. They are 100% secure (more secure then even identifiedy by accounts. Do NOT use them over the network in Unix as they are based on "trust" (just like the r* commands rsh, rexec)
Hope this helps!
Best Regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-05-2003 05:29 AM
тАО02-05-2003 05:29 AM
Re: Hiding Passwords for Oracle
Seen on metalink a program named "hide" developed for NCR SVR4 (and not supported by Oracle).
doc id 1009091.6
"How do you hide username/password in ps?"
I did not try it myself.
The doc is back from 1997.
You would have to check it !
Rgds,
Jean-Luc
doc id 1009091.6
"How do you hide username/password in ps?"
I did not try it myself.
The doc is back from 1997.
You would have to check it !
Rgds,
Jean-Luc
fiat lux
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-07-2003 12:11 PM
тАО02-07-2003 12:11 PM
Re: Hiding Passwords for Oracle
.hide is a tool to mask the account/password info from being seen in the process list from the ps command in Unix. It is not supported by Oracle, but we have been using it to mask the password for several years from 7.3 to 8i with no problems to date on HPUX 10.2-11.0
1. The following executables need to be linked to hide file (I would recommend):
- sqlplus, imp, exp, sqlldr, sqlload
2. Copy the executable to executable.hide.
cp sqlplus sqlplus.hide
3. Remove the executable.
rm -f sqlplus
4. Link executable to hide.
ln -s hide sqlplus
Linking executable to hide files enables unix not to display the
user id password give in the command line when viewing the process
status via ps.
If anyone wants I can send the hide file.
1. The following executables need to be linked to hide file (I would recommend):
- sqlplus, imp, exp, sqlldr, sqlload
2. Copy the executable to executable.hide.
cp sqlplus sqlplus.hide
3. Remove the executable.
rm -f sqlplus
4. Link executable to hide.
ln -s hide sqlplus
Linking executable to hide files enables unix not to display the
user id password give in the command line when viewing the process
status via ps.
If anyone wants I can send the hide file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-07-2003 12:15 PM
тАО02-07-2003 12:15 PM
Re: Hiding Passwords for Oracle
One more note to my previouse post:
If you link your executable for sqlplus to .hide the ps command will result in something like below:
ps -ef|grep sqlplus
dw8436 27450 29892 0 13:58:25 ? 0:00 sqlplus
in liue of the norm where you see the entire connect string such as sqlplus username/password@mydb
If you link your executable for sqlplus to .hide the ps command will result in something like below:
ps -ef|grep sqlplus
dw8436 27450 29892 0 13:58:25 ? 0:00 sqlplus
in liue of the norm where you see the entire connect string such as sqlplus username/password@mydb
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2003 08:24 AM
тАО02-11-2003 08:24 AM
Re: Hiding Passwords for Oracle
Attached hide.c and instruction.
This works for other applications besides oracle as well to hide information from "ps" commands. Also have included a hide install file to simplify.
This works for other applications besides oracle as well to hide information from "ps" commands. Also have included a hide install file to simplify.
- « Previous
-
- 1
- 2
- Next »
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP