Pete Finnigan's Oracle Security Forum - Stopping a passworded listener via unix script

Forum

Home/Forum

Welcome, Guest. Please Login. Nov 23^rd, 2024, 5:17pm News: If you would like to register contact the forum admin
Home \| Help \| Search \| Members \| Login

   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security (Moderator: Pete Finnigan)
   Stopping a passworded listener via unix script

« Previous topic | Next topic »

Pages: 1

Reply | Notify of replies | Send Topic | Print

Author

Topic: Stopping a passworded listener via unix script (Read 9835 times)

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Stopping a passworded listener via unix script
« on: Jan 5^th, 2006, 11:11am »

Quote | Modify

Is it possible to automate listener shutdown via a shell script if the listener has a password.
This is needed for a scheduled box restart.

Prior to adding a password it was simply Code:

lsnrctl stop <name>

I am now trying along the lines of this code but get the failure messages shown
Code:

lsnrctl <<__EOF__
set password
<password>
stop
__EOF__

LSNRCTL> Password: SNL-00102: snlpsprom: not a tty
IBM/AIX RISC System/6000 Error: 1229866496: Error 1229866496 occurred.
Additional information: -1022
Additional information: 1312902656
Additional information: 0
LSNRCTL> Connecting to (ADDRESS=(PROTOCOL=tcp)(PORT=1521))
TNS-01169: The listener has not recognized the password

Darren

IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #1 on: Jan 5^th, 2006, 11:41am »

Quote | Modify

Darren,

Try: set pasword <password>
(don't start the password in a new line)

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #2 on: Jan 5^th, 2006, 5:26pm »

Quote | Modify

Hi Ivan,

That will only work up to and including 9i due to a bug. If you have a clear text password then enter the password, if it is encrypted then use the hash. This is not ideal as its using a bug.

There are two other options I know of. The first is to not pass the password, as having the password or reading it from the listener.ora has implications. You can simply "kill" the listener process and avoid the need to supply the password.

A better option is to use "expect" a tcl extension that allows interactive input like this password to be passed from a script. This could be better as it does not involve a kill but it means that the password needs to be stored. A good solution to this is to use the Oracle Password Repository - see my [url http://www.petefinnigan.com/tools.htm]Oracle Security Tools page[/url].

hth

cheers

pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #3 on: Jan 6^th, 2006, 8:02am »

Quote | Modify

I agree with Pete,
if you are about to shut down the box - don't worry about stopping the listener.

The listener does not keep any state, so the kill from the shutdown will be fine. (shut down the database first though :-)

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #4 on: Jan 6^th, 2006, 9:48am »

Quote | Modify

Thanks for the replies... Killing seems a bit over the top, so I will have a look at expect (once the sysadm's get the TCL libs back onto the boxes)
Darren

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #5 on: Jan 6^th, 2006, 9:55am »

Quote | Modify

killing the listener at shutdown would be fine, but I still need to script the startup, so expect it is!

Thanks for the help
Darren

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #6 on: Jan 6^th, 2006, 11:52am »

Quote | Modify

Pete,

A shell-script to stop the listener (using set password <password>) works with 10Gr2 (on Suse 9.3).
By the way: when I shutdown my machine I don't stop the listener. It gets just killed.
Darre, for starting the listener you don't need the password.

Ivan

on Jan 5^th, 2006, 5:26pm, Pete Finnigan wrote:

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #7 on: Jan 6^th, 2006, 3:34pm »

Quote | Modify

Ivan

That makes life MUCH easier. Grin

Thanks for the help
Darren

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #8 on: Jan 6^th, 2006, 8:23pm »

Quote | Modify

Hi Ivan and Darren,

I am surprised that you say the
set password <password> syntax works on 10gR2. I was sure that the bug that allows this to happen had been fixed.

It works because there were two authentication mechanisms implemented. I thought that they (Oracle) had finally removed the old syntax from the listener.

I have not got a 10g install on this machine and Emil is asleep so i cannot go and start my other box upstairs to check.

Are you sure that it doesn't work in 10g because of the fact that its locally authenticating instead.

can you test setting a password, and turning off local authentication with the undocumented parameter LOCAL_OS_AUTHENTICATION_<LISTENER_NAME> = OFF
in the listener.ora and then check if your script still works?

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #9 on: Jan 6^th, 2006, 9:15pm »

Quote | Modify

Pete,

I've the following shell-script (I made it just for testing ):

Code:

lsnrctl <<EOF
set password blabla
stop
exit
EOF

In my listener.ora I have defined:
LOCAL_OS_AUTHENTICATION_LISTENER=OFF

The status information is :

Code:

LSNRCTL> oracle@Asus:~ > lsnrctl

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 06-JAN-2006 22:11:12

Copyright (c) 1991, 2005, Oracle. All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 06-JAN-2006 22:09:57
Uptime 0 days 0 hr. 1 min. 21 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File /u01/app/oracle/product/10r2/db_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/10r2/db_1/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux.site)(PORT=1521)))
Services Summary...
Service "IVAN2" has 1 instance(s).
Instance "IVAN2", status READY, has 1 handler(s) for this service...
Service "IVAN2_XPT" has 1 instance(s).
Instance "IVAN2", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>

Now I run the shell-script:

Code:

oracle@Asus:~ > . ./stop_lis.sh

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 06-JAN-2006 22:12:59

Copyright (c) 1991, 2005, Oracle. All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> The command completed successfully
LSNRCTL> Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully
LSNRCTL> oracle@Asus:~ >

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #10 on: Jan 6^th, 2006, 9:30pm »

Quote | Modify

Hi Ivan,

Thanks for doing the test. Are you using the encrypted hash and not the password in your script? because if you can supply the actual password in your script that would mean that its possible to use the old syntax and new syntax with a password created with encrypted password created in the lsnrctl utility.

now I am confused!

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #11 on: Jan 7^th, 2006, 7:48am »

Quote | Modify

Pete,

I'm not using the encrypted hash. Blabla is the password and in my listener.ora :

Code:

#----ADDED BY TNSLSNR 17-NOV-2005 16:24:24---
PASSWORDS_LISTENER = 7A4254300EF15B8E

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #12 on: Jan 7^th, 2006, 9:58pm »

Quote | Modify

Hi Ivan,

This is interesting as on 9iR2 it is not possible to use the old syntax with a password that has been created with the change_password command:

<code>
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=zulia)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=zulia)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File C:\oracle\ora90\network\admin\listener.ora
Old Parameter File C:\oracle\ora90\network\admin\listener.bak
The command completed successfully
LSNRCTL>
</code>

I used blabla as the password:

<code>
#----ADDED BY TNSLSNR 07-JAN-2006 21:53:17---
PASSWORDS_LISTENER = 6F8678E5C62FA54D
#--------------------------------------------
</code>

now:

<code>
C:\>lsnrctl

LSNRCTL for 32-bit Windows: Version 9.2.0.1.0 - Production on 07-JAN-2006 21:56:
14

Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set password blabla
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=zulia)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL>
</code>

It fails to use the old clear text syntax for an encrypted password. It looks like Oracle have enhanced 10g to allow either syntax to work with a password passed in clear text where it is an encrypted password.

This is good as it means it is possible to script stop scripts if you use a password and not the local authentication.

nice find Ivan,

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #13 on: Jun 30^th, 2006, 9:21pm »

Quote | Modify

Ok, here's something REALLY scary in 9.2.0.7 (and earlier)

The "encrypted" password works as a clear text password too...

This works...
set password [encryptedpassword]

And, This works...
set password
Password: [clear password]
status
stop

So, simple scripting...

PW=`egrep "PASSWORDS_LISTENER .*=" $ORACLE_HOME/network/admin/listener.ora | cut -f2 -d "="`

lsnrctl << !EOF
set password $PW
status
stop
!EOF

That works.

The reverse is not true:

This does not work:
set password [clearpassword]

Neither does this:
set password <cr>
Password: [encrypted pw]

This all works remotely too, which is VERY very scary and makes things no more secure than using a password in listener.ora in the clear....

I'm guessing that the hash and the clear password are symetrical keys -- which means that either the password in the clear can be used with:

set password<cr>
Password: [clear password]

Or
set password <encrypted password>

So, if you can get the encrypted password or the clear password from listener.ora, you can shutdown and change things (including spawn and other bad behaviors).

What am I missing here? Is this a known Oracle issue?

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Stopping a passworded listener via unix script
« Reply #14 on: Jul 2^nd, 2006, 7:51pm »

Quote | Modify

Hi,

Yes this is a well known issue for some time. I talked about it earlier in this thread. The password is not symetrical with the hash, the algorithm used is also known and is the same as else where in the Oracle database.

The reason the hash works is that there are 2 mechanisms implemented. The original one where the password was stored in the listener.ora still works and this bug is simply that the database thinks that the password is stored in the config file and it reads the hash as though it was a clear text password.

This has been reported to Oracle but still not fixed.

cheers

Pete

IP Logged

Pages: 1

Reply | Notify of replies | Send Topic | Print


« Previous topic \| Next topic »

PFCLScan
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

Learn more
PFCLObfuscate
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

Learn more
PFCLCode
PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

Learn more
PFCLForensics
PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

Learn more
PFCLReselling
PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

Learn more
PFCLATK
PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

Learn more
PFCLCookie
PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

Learn more
PFCLTraining
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

Learn more
PFCLServices
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

Learn more
PFCLConsulting
Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

Learn more
PFCLCustom
All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

Learn more
PFCLCloud
Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

Learn more
PFCLUserRights
PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

Learn more
PFCLSTK
PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

Learn more
PFCLSFTK
PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

Learn more
PFCLSEO
PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues

Learn more