top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Want to authenticate oracle login using encrypted password…how to?

+2 votes
535 views

we are connecting to oracle using korn shell scripts, which use sqlplus to connect to oracle. the oracle database is on the same Solaris box. Currently, we are storing oracle user id and passowrd (plain text) in a file in the .ssh folder of the connecting user, with 400 permission bits.

The DBAs are objecting to this way of working, citing the fact that we are using plain text password for authentication. When we offered that we'd encode the password using base64, they still didnt like the idea, citing that we'd still decrypt the password in the shell script and transmit the password over network.

Now, I want to understand this-

I have been reading that oracle encrypts/hashes the password string, before transmitting it. I cant find the reference right now though, however, I still want to confirm my understanding. Is it really like this ? we are on 11g r2, would that make a difference ?

would i be able to login to sqlplus without decrypting the password hash ? e.g. DBAs set a password, pass on the hash to me. I put that in a file, and supply to sqlplus as a parameter. Is there some way by which this kind of authentication work ? I know some tools do allow that, if you encode using their tool, they are able to decrypt the value and use it for authentication. does oracle ??

Help me fellas..

posted Jul 23, 2013 by Raghvendra Sharma

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote

BASE64 is as bad as plaintext and does not offer any security. Your DBAs are also wrong stating that hashing the password before it's sent will solve the issue as you can just perform a pass-the-hash like attack (I'm not even sure Oracle supports something like that). Both approaches would allow for people on the network to gain access to the database (it doesn't matter if you pass a hash or a password, you can caputure it and re-use it).

I see two problems:

  • You are storing the password in your script. You should be storing the password in a password manager and make your script request for the password on each run. If it's an automated process then you need to store it plaintext in your script. There is unfortunately no other way to store it. (People argue that you can encrypt and decrypt it in your code or use some encoding schemes like BASE64, but in the end it would be trivial to retrieve and de-obfuscate your password if you get access to the script)
  • The second major issue is that you are sending everything over a plain connection. You should configure SSL/TLS for your machine so that before sending everything over the network, a secure end-to-end connection (Refer to the Oracle documentation i.e. http://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm). This will prevent eavesdroppers from viewing your connection and see if a password is being sent over the network.
answer Jul 23, 2013 by Nora Jones
0 votes
answer Jul 23, 2013 by Sumit Pokharna
Similar Questions
+3 votes

Probably is simple and silly question, I should have googled but still want to ask.
I want to run a script at the login to the Linux system, what is the best way to achieve this.

+1 vote

Is there a way to get samba to authenticate against an AD without having to join that domain (which needs admin credentials)? I don't want any of the automatic user creation or mapping stuff from winbind, just a password check instead of having to maintain a local password.

I can get that effect via kerberos for normal linux logins by using authconfig-tui, checking kerberos, and filling in the domain/kdc details. Local users still have to be added to the linux system, but where the user names match they can authenticate with their domain password. But, samba doesn't work that way. Even though the authconfig program modifies the smb.conf file, it doesn't seem to work without joining the domain. Is it possible to make it just authenticate via kerberos but otherwise use the local account details
for the matching user?

...