RE: lsnrctl passwords

This link was sent just the other day on a similar topic.  It will not
work for Oracle 10g listeners - but does work for Oracle 9i and 8i.

http://laurentschneider.com/wordpress/2005/12/encrypted-listener-passwor
d.html

From the article...

1.      to start you do not need a listener

to stop, you can use
PW=$(grep -i passwords_listener $TNS_ADMIN/listener.ora | cut -d= -f2)
lsnrct <<EOF
set password $PW
stop
eof

in 9i and below 

 

 

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Blanchard William
Sent: Friday, April 11, 2008 1:27 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: lsnrctl passwords

 

How do you handle a server restart?

 

________________________________

From: Ben Wittmeier [mailto:Ben.Wittmeier@xxxxxxxxx] 
Sent: Friday, April 11, 2008 12:25 PM
To: Blanchard William; oracle-l@xxxxxxxxxxxxx
Subject: RE: lsnrctl passwords

We use listener passwords with Oracle 10g and previously with 9i as
required by our auditors.  The interactive password setting is not
usually an issue since you only need to stop/start the listener when the
server is being shutdown or when maintaining the listener itself.  For
our cold backups, we shut the db down, but not the listener; it stays
running all the time.

 

From my research on the issue, I believe the only way to
programmatically shutdown/start the password protected listener would be
to utilize a program that executes keystrokes just as if a user were
typing in the commands from the keyboard.

 

Ben

 

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Blanchard William
Sent: Friday, April 11, 2008 10:00 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: lsnrctl passwords

Wouldn't they need access to your network in order to access the
listener? I know that you can set up a similar entry in a listener.ora
and remotely access the listener (I did this to prove it) but I was
behind the firewall. I tried from home but wasn't able to access the
listener using the same technique. 

Another question is that in 9i you can't do a save_config and have to
enter the password interactively in order to use the listener. So, after
a cold backup and a server restart, someone would have to manually
restart every listener. 

Has anyone figured out how to script this? We tried but weren't able to
figure out how to script the password entry so that our startup scripts
would work with a password protected listener.

 

William

 

________________________________

From: Andrew Kerber [mailto:andrew.kerber@xxxxxxxxx] 
Sent: Friday, April 11, 2008 10:44 AM
To: Blanchard William
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: lsnrctl passwords

Several things they could do, for one they could turn off logging when
you need it.  They could also turn on logging, fille up the drive that
the log file is on, and stop your listener, they could shut down the
listener so no one could connect.  ALl of these could be accidental or
on purpose, but a password makes it harder to do either way.  Also, most
Sarbanes-Oxley compliance checklists require it.

It is a pain to deal with even so.

On Fri, Apr 11, 2008 at 10:09 AM, Blanchard William
<William.Blanchard@xxxxxxxxxx> wrote:

Is anyone out there using lsnrctl passwords?  If so, why?  I realize
that there are vulnerabilities but if they're able to get at the
network, why would they waste their time on the listner?

 

 

William




-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.' 

 


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.

Other related posts: