It's my opinion that in 10g, you actually lower the security level by
setting a password. By default, remote operations are not allowed in
10g and above, unless you set a password. So, if you don't have a
password set, the listener is more secure than if you did set a
password.
And, as pointed out, you don't need to have a password to start
listeners since that can't be done remotely via lsnrctl.
Dan
Ben Wittmeier wrote:
We use listener passwords with
Oracle 10g and previously with 9i as required by our auditors. The
interactive password setting is not usually an issue since you only
need to stop/start the listener when the server is being shutdown or
when maintaining the listener itself. For our cold backups, we shut
the db down, but not the listener; it stays running all the time.
From my research on the issue, I
believe the only way to programmatically shutdown/start the password
protected listener would be to utilize a program that executes
keystrokes just as if a user were typing in the commands from the
keyboard.
Ben
Wouldn't they need access to your network in order to access the
listener? I know that you can set up a similar entry in a listener.ora
and remotely access the listener (I did this to prove it) but I was
behind the firewall. I tried from home but wasn't able to access the
listener using the same technique.
Another question is that in 9i you can't do a save_config and have
to enter the password interactively in order to use the listener. So,
after a cold backup and a server restart, someone would have to
manually restart every listener.
Has anyone figured out how to script this? We tried but weren't
able to figure out how to script the password entry so that our startup
scripts would work with a password protected listener.
William
Several things they could do, for one they could turn off logging when
you need it. They could also turn on logging, fille up the drive that
the log file is on, and stop your listener, they could shut down the
listener so no one could connect. ALl of these could be accidental or
on purpose, but a password makes it harder to do either way. Also,
most Sarbanes-Oxley compliance checklists require it.
It is a pain to deal with even so.
On Fri, Apr 11, 2008 at 10:09 AM, Blanchard
William < William.Blanchard@xxxxxxxxxx>
wrote:
Is anyone out there using lsnrctl passwords? If so,
why? I realize that there are vulnerabilities but if they're able to
get at the network, why would they waste their time on the listner?
William
--
Andrew W. Kerber
'If at first you dont succeed, dont take up skydiving.'
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. This message contains confidential information and
is intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.
--
//www.freelists.org/webpage/oracle-l
|