Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: ORA_ENCRYPT_LOGIN

RE: ORA_ENCRYPT_LOGIN

From: Richard Huntley <rhuntley_at_mindleaders.com>
Date: Thu, 23 May 2002 06:38:28 -0800
Message-ID: <F001.0046920E.20020523063828@fatcity.com>


Here is what the docs have to say...

"By setting the following values, you can require that the password used to verify a connection always be encrypted:

Set the ORA_ENCRYPT_LOGIN environment variable to TRUE on the client machine.

Set the DBLINK_ENCRYPT_LOGIN server initialization parameter to TRUE.

If enabled at both the client and server, passwords will not be sent across the network "in the clear", but will be encrypted using a modified DES (Data Encryption Standard) algorithm.

The DBLINK_ENCRYPT_LOGIN initialization parameter is used for connections between two Oracle servers (for example, when performing distributed queries). If you are connecting from a client, Oracle checks the ORA_ENCRYPT_LOGIN environment variable.

Whenever you attempt to connect to a server using a password, Oracle encrypts the password before sending it to the server. If the connection fails and auditing is enabled, the failure is noted in the audit log. Oracle then checks the appropriate DBLINK_ENCRYPT_LOGIN or ORA_ENCRYPT_LOGIN value. If it set to FALSE, Oracle attempts the connection again using an unencrypted version of the password. If the connection is successful, the connection replaces the previous failure in the audit log, and the connection proceeds. To prevent malicious users from forcing Oracle to re-attempt a connection with an unencrypted version of the password, you must set the appropriate values to TRUE."

-----Original Message-----
Sent: Thursday, May 23, 2002 9:14 AM
To: 'ORACLE-L_at_fatcity.com'

Hmm...after trying to verify password being passed as plain text, I went back to
do some research on metalink, and it looks like encryption of passwords is done
by default in 8.1.5 (Net8) and higher. Only confusion now is whether I need to
set ORA_ENCRYPT_LOGIN = TRUE only in sqlnet.ora on the client or also in the

NT registry. Guess I'll go look through the docs on this and I'll send an update
if I find a definitive answer. Thanks for the replies.

-----Original Message-----
Sent: Thursday, May 23, 2002 12:33 AM
To: Multiple recipients of list ORACLE-L

could not say about the net8, but in oracle 7 clients, if the initial login fails, the client will do the *next*
login attempt using *plain text* as password !!! but if this param is set to TRUE, all the attempts are
done using an encrypted password.

set ORA_ENCRYPT_LOGIN = TRUE , in the correct ORACLE_HOME using regedit (if on windows)
turn the tracing level to 16, try to connect and see the trace file, u wud see the userid in plain text but thepassword will be encrypted...

> ----------
> From: MacGregor, Ian A.[SMTP:ian_at_SLAC.Stanford.EDU]
> Reply To: ORACLE-L_at_fatcity.com
> Sent: Thursday, May 23, 2002 2:52 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
> If you want to be absolutely sure the password is being encrypted, you'll
> need to place a sniffer on the network. Work with your network guys and
> whoever else needs to be involved. In most company's using an
> unauthorized sniffer will result in dismissal.
>
> Let me reinterate what I stated. SQL*NET encrypts passwords even if the
> ORA_ENCRYPT_LOGIN parameter is not set to TRUE I wouldn't label it strong
> encryption. If you really need that there is the Advanced Security
> Option.
>
> I'm not 100% sure when the passwrod is sent in the clear. It is never
> sent plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE. I
> believe it will be sent in the clear if the Oracle server side of SQL*NET
> is incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN is
> set to false. ( I cannot , off the top of my head, remember if the
> parameter takes YES/NO or TRUE/FALSE).
>
> The first thing I would do is ensure ORA_ENCRYPT_LOGIN is true for all
> clients.
>
> Ian MacGregor
> Stanford Linear Accelerator Center
> ian_at_SLAC.Stanford.edu
>
>
>
> -----Original Message-----
> From: Richard Huntley [mailto:rhuntley_at_mindleaders.com]
> Sent: Wednesday, May 22, 2002 9:59 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
>
> That's exactly what I want to stop, passwords being sent in the
> clear. However, I'm not able to verify it's working so far. I've turned
> on tracing, as recommended in another reply on this topic, did a login
> before enabling then after enabling this parameter and the differences are
> very minor and I'm seeing nothing that specifically points
> to this parameter being used other than output saying the parameter
> is detected. How are you all having developers connect to the production
> box via SQL*Plus client on developer workstations, so that the password is
> not sent in the clear?
>
> -----Original Message-----
> From: MacGregor, Ian A. [mailto:ian_at_SLAC.Stanford.EDU]
> Sent: Tuesday, May 21, 2002 8:18 PM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
>
> Even without this parameter being set the password is encrypted.
> What the parameter does is stop the password from being sent in the clear
> if logging in with the encrypted password fails. I believe the
> encryption is a 54-bit variant of DES. It is very rare that someone
> improves DES by fiddling with it. It also always encrypts to the same
> value and provides no protection against replay attacks.
>
> Ian MacGregor
> Stanford Linear Accelerator Center
> ian_at_SLAC.Stanford.edu
>
> -----Original Message-----
> From: Richard Huntley [mailto:rhuntley_at_mindleaders.com]
> Sent: Tuesday, May 21, 2002 9:34 AM
> To: Multiple recipients of list ORACLE-L
> Subject: ORA_ENCRYPT_LOGIN
>
>
> Anyone using this and if so, do you know of a way to verify
> that the password is actually being encrypted?
>
> Thanks.
>
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Rahul
  INET: rahul_at_ratelindo.co.id

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Richard Huntley
  INET: rhuntley_at_mindleaders.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Thu May 23 2002 - 09:38:28 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US