Re: Listener password encryption

• From: Greg Norris <spikey.mcmarbles@xxxxxxxxx>
• To: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
• Date: Fri, 17 Feb 2006 08:01:16 -0600

I never said that setting a listener password was a bad idea, just
that there's no benefit to using an *encrypted* password.  Here's a
quick illustration (valid thru 9iR2... I understand that 10g finally
changes this behaviour).

Say you've set your listener password to BILLBO, which produces a hash
(as seen in listener.ora) of XXXXXXXX.  You can now use either of the
following commands at the lsnrctl prompt.

   set password<ENTER>
   BILLBO

or

   set password XXXXXXXX


Now try running some commands which require you to have the password
set... you'll quickly find out that both forms are 100% equivalent. 
In other words, you now have two passwords which need to be protected
instead of just one.  Hopefully you can see why I hold Oracle's
encrypted listener password implementation in such low regard.


Note: I don't have access to an Oracle machine at the moment, so the
above is (obviously) from memory.  Feel free to try it out... no need
to take my word for it.


On 2/16/06, Reidy, Ron <Ron.Reidy@xxxxxxxxxxxxxxxxxx> wrote:
> I disagree completely on this.  Setting the password can help to prevent
> a DNS attack on the listener.  Of course, to know if the listener is
> being attacked, you should have logging turned on and some kind of
> process (swatch) watching the log file for invalid passwords (maybe a
> brute force attack).
>
> But hey, don't just take my word for it, read what Pete Finnigan says
> about it:
> http://www.google.com/custom?q=listener&sa=Google+Search&cof=S%3Ahttp%3A
> %2F%2Fwww.petefinnigan.com%3BGL%3A0%3BAH%3Aleft%3BLH%3A70%3BL%3Ahttp%3A%
> 2F%2Fwww.petefinnigan.com%2Fimages%2Fcompany_logo_1.gif%3BLW%3A736%3BAWF
> ID%3A4f683a6e994ed451%3B&domains=www.petefinnigan.com&sitesearch=www.pet
> efinnigan.com
>
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Norris
> Sent: Thursday, February 16, 2006 12:03 PM
> To: oracle-l@xxxxxxxxxxxxx
> Subject: Re: Listener password encryption
>
>
> I wouldn't even bother using an encrypted password, unless of course
> this is being done to satisfy some (clueless) auditor's checklist.
> The way Oracle handles encrypted listener passwords, they're absolutely
> no more secure than the cleartext counterpart... in fact, one could
> easily argue that they're slightly *less* secure.

--
"I'm too sexy for my code." - Awk Sed Fred.
--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: Listener password encryption
    • From: Jared Still

• References:
  • RE: Listener password encryption
    • From: Reidy, Ron

Other related posts:

• » Listener password encryption
• » Re: Listener password encryption
• » Re: Listener password encryption
• » Re: Listener password encryption
• » RE: Listener password encryption
• » RE: Listener password encryption
• » Re: Listener password encryption
• » Re: Listener password encryption
• » Re: Listener password encryption

1. Home
2. oracle-l
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---