Results 1 to 2 of 2
  1. #1
    Join Date
    Jan 2002

    Unanswered: Encrypted password

    I read Oracle Database Administrator's Guide,chapter
    "Establishing Security policy" and I am concerned about encrypted password.
    My environment:Oracle 8.1.7 on Win2000.

    I red that I have to configure both ORA_ENCRYPT_LOGIN and DBLINK_ENCRYPT_LOGIN for really encrypted password.
    As a DBA,I am responsible for my Oracle server.Also,I can write document where I tell my operators:You HAVE to configure
    As a DBA,I am responsible for setting DBLINK_ENCRYPT_LOGIN=TRUE.
    When my operaters finish instalation and they set
    ORA_ENCRYPT_LOGIN=TRUE they are not responsible for machines(there are dislocated machines).
    So,they cannot stop somebody(malicious user) for set
    ORA_ENCRYPT_LOGIN=FALSE;it means passwords will be sent clear:if I configure my "sniffer" on "the right place" I can find REAL password.

    Let me talk about my experiance with DB2.
    Of course,same things you can configure on DB2 by set
    AUTHENTICATION=SERVER_ENCRYPT (or DCS_ENCRYPT) on client and server side.
    So,on the server side i set (in Oracle terminology)
    DBLINK_ENCRYPT_LOGIN=TRUE and I changed only ORA_ENCRYPT_LOGIN .Of course,I was configured my "sniffer".
    If I set ORA_ENCRYPT_LOGIN =true passwords is encrypted immediately
    and encrypted sent to server.
    If I set ORA_ENCRYPT_LOGIN=false,I noticed that client and server communicate both BEFORE sending password.
    If my server has DBLINK_ENCRYPT_LOGIN=TRUE password is encrypted.If I have DBLINK_ENCRYPT_LOGIN=FALSE my password is sent "clear".
    It means,if I set on server side TRUE,passwords are EVER encrypted.
    My qestion(after veery long and boring story) may I configure my server that encrypted password is not depend about client side?
    Of course,maybe I red wrong,so please correct me.
    I will be very greatfull for your advice.

    Sory for my English,Zvonimir

  2. #2
    Join Date
    Jan 2002

    My fault:not EVER, ALWAYS

    My fault:not EVER, ALWAYS

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts