Re: Oracle client security
- From: Pete Finnigan <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Sat, 7 Aug 2004 21:57:11 +0100
>
>True, though I did pull that from the 9.2.0 docs. It is apparently
>a documentation bug, as 9i supposedly always encrypts passwords
>and never sends them in the clear. Haven't tested it though.
>
>Jared
Hi Jared,
The parameters are supposedly not used or rather ignored from 9iR2 (It
could be 9iR1 as I have heard this for both versions) as all retries are
encrypted by default. I tested this over a year ago when discussing it
with Don Granaman who was involved in the CIS Oracle benchmark. We could
not find a way to get a second try in clear text on 9i. This
"functionality" the second try in clear text was added to allow
connection to older databases that didn't support the encrypted password
exchange (7.1 and down i believe).
Rich, The way to secure the client then seems to be to ensure at least
9iR1 or 9iR2 clients are used.
Kind regards
Pete
--
Pete Finnigan
email:pete@xxxxxxxxxxxxxxxx
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
