Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> listener password
(Message started by: Pete Finnigan on Dec 2nd, 2005, 3:04pm)

Title: listener password
Post by Pete Finnigan on Dec 2nd, 2005, 3:04pm
hey pete,
i have two questions for you, i am a newbie in the business and i am dealing with oracle security.

here s my question:
did oracle do anything about the listener password(or its hash, you can login with both), traveling with all of the listener commands?

another question:
can a new kind of authentication scheme applied on top of oracle listener, in which authentication is done without sending the password, or hash; instead a one-time session key?

thanks in advance,
emre cakir

Title: Re: listener password
Post by Pete Finnigan on Dec 4th, 2005, 9:32pm
Hi,

In answer to your first question. It is fixed in 10g at least and i believe in 9.2.0.X (not sure which "X" now though - would need to check).

I am not sure what you are asking in your second question. I think you mean is it possible to enhance the listener authentication. Do you mean us? the users and customers of Oracle or do you mean for Oracle themselves to do it?

cheers

Pete

Title: Re: listener password
Post by Pete Finnigan on Dec 5th, 2005, 2:12pm
thanks for your attention, regarding my second question, i mean us the customers, i know that there are ways to authenticate users without requiring them so send their passwords through network, and it can be applied on top of vulnerable tns listeners, i guess.

thanks again,
have a good day.
emre cakir

Title: Re: listener password
Post by Pete Finnigan on Dec 5th, 2005, 6:09pm
Hi,

I am not sure how you could change the authentication process yourself for the listener but you can use network encryption between admin terminals that send the password to the listener and the listener itself. You can use Oracle ASO or free solutions such as OpenSSH. Of course you cannot protect every connection to the listener like this but you don't need to. You only need to protect the legitimate ones and then limit network traffic so that it can only come into the listener from those.

hth

cheers

Pete

Title: Re: listener password
Post by Pete Finnigan on Dec 6th, 2005, 7:27am
i see what you mean, openSSH + connection manager (or valid node checking)

thx a lot,
cakir

Title: Re: listener password
Post by Pete Finnigan on Dec 6th, 2005, 12:14pm

on 12/04/05 at 21:32:18, Pete Finnigan wrote:
It is fixed in 10g at least and i believe in 9.2.0.X (not sure which "X" now though - would need to check).

At least it isn't fixed in Windows platform. I tested it on 9.2.0.7 and CPUOCT05 applied. :-/

Title: Re: listener password
Post by Pete Finnigan on Dec 6th, 2005, 8:20pm
Hi,

Thanks for the update, I was not 100% sure it was fixed in 9i but I thought that I had seen it fixed  - I might have been wrong though. Thanks for confirming that its still a bug at least on Windows.

cheers

Pete



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board