Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Stopping a passworded listener via unix script
        
(Message started by: Pete Finnigan on Jan 5th, 2006, 11:11am)
Title: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 5th, 2006, 11:11am
Is it possible to automate listener shutdown via a shell script if the listener has a password.
This is needed for a scheduled box restart.  

Prior to adding a password it was simply
Code:
lsnrctl stop <name>

I am now trying along the lines of this code but get the failure messages shown

Code:
lsnrctl <<__EOF__
set password
<password>
stop
__EOF__


LSNRCTL> Password: SNL-00102: snlpsprom: not a tty
IBM/AIX RISC System/6000 Error: 1229866496: Error 1229866496 occurred.
Additional information: -1022
Additional information: 1312902656
Additional information: 0
LSNRCTL> Connecting to (ADDRESS=(PROTOCOL=tcp)(PORT=1521))
TNS-01169: The listener has not recognized the password


Darren
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 5th, 2006, 11:41am
Darren,

Try: set pasword <password>
(don't start the password in a new line)

Ivan
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 5th, 2006, 5:26pm
Hi Ivan,

That will only work up to and including 9i due to a bug. If you have a clear text password then enter the password, if it is encrypted then use the hash. This is not ideal as its using a bug.

There are two other options I know of. The first is to not pass the password, as having the password or reading it from the listener.ora has implications. You can simply "kill" the listener process and avoid the need to supply the password.

A better option is to use "expect" a tcl extension that allows interactive input like this password to be passed from a script. This could be better as it does not involve a kill but it means that the password needs to be stored. A good solution to this is to use the Oracle Password Repository - see my [url http://www.petefinnigan.com/tools.htm]Oracle Security Tools page[/url].

hth

cheers

pete
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 8:02am
I agree with Pete,
if you are about to shut down the box - don't worry about stopping the listener.

The listener does not keep any state, so the kill from the shutdown will be fine. (shut down the database first though :-)
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 9:48am
Thanks for the replies...     Killing seems a bit over the top, so I will have a look at expect (once the sysadm's get the TCL libs back onto the boxes)
Darren
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 9:55am
killing the listener at shutdown would be fine, but I still need to script the startup, so expect it is!

Thanks for the help
Darren
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 11:52am
Pete,

A shell-script to stop the listener (using set password <password>) works with 10Gr2 (on Suse 9.3).
By the way: when I shutdown my machine I don't stop the listener. It gets just killed.
Darre, for starting the listener you don't need the password.


Ivan



on 01/05/06 at 17:26:42, Pete Finnigan wrote:
Hi Ivan,

That will only work up to and including 9i due to a bug. If you have a clear text password then enter the password, if it is encrypted then use the hash. This is not ideal as its using a bug.

There are two other options I know of. The first is to not pass the password, as having the password or reading it from the listener.ora has implications. You can simply "kill" the listener process and avoid the need to supply the password.

A better option is to use "expect" a tcl extension that allows interactive input like this password to be passed from a script. This could be better as it does not involve a kill but it means that the password needs to be stored. A good solution to this is to use the Oracle Password Repository - see my [url http://www.petefinnigan.com/tools.htm]Oracle Security Tools page[/url].

hth

cheers

pete
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 3:34pm
Ivan

That makes life MUCH easier.  ;D

Thanks for the help
Darren
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 8:23pm
Hi Ivan and Darren,

I am surprised that you say the
set password <password> syntax works on 10gR2. I was sure that the bug that allows this to happen had been fixed.

It works because there were two authentication mechanisms implemented. I thought that they (Oracle) had finally removed the old syntax from the listener.

I have not got a 10g install on this machine and Emil is asleep so i cannot go and start my other box upstairs to check.

Are you sure that it doesn't work in 10g because of the fact that its locally authenticating instead.

can you test setting a password, and turning off local authentication with the undocumented parameter LOCAL_OS_AUTHENTICATION_<LISTENER_NAME> = OFF
in the listener.ora and then check if your script still works?

cheers

Pete
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 9:15pm
Pete,

I've the following shell-script (I made it just for testing ):


Code:
lsnrctl <<EOF
set password blabla
stop
exit
EOF


In my listener.ora I have defined:
LOCAL_OS_AUTHENTICATION_LISTENER=OFF

The status information is :


Code:
LSNRCTL> oracle@Asus:~ > lsnrctl

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 06-JAN-2006 22:11:12

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                06-JAN-2006 22:09:57
Uptime                    0 days 0 hr. 1 min. 21 sec
Trace Level               off
Security                  ON: Password
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/10r2/db_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/product/10r2/db_1/network/log/listener.log
Listening Endpoints Summary...
 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux.site)(PORT=1521)))
Services Summary...
Service "IVAN2" has 1 instance(s).
 Instance "IVAN2", status READY, has 1 handler(s) for this service...
Service "IVAN2_XPT" has 1 instance(s).
 Instance "IVAN2", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>


Now I run the shell-script:


Code:
oracle@Asus:~ > . ./stop_lis.sh

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 06-JAN-2006 22:12:59

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> The command completed successfully
LSNRCTL> Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully
LSNRCTL> oracle@Asus:~ >


Ivan
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 6th, 2006, 9:30pm
Hi Ivan,

Thanks for doing the test. Are you using the encrypted hash and not the password in your script? because if you can supply the actual password in your script that would mean that its possible to use the old syntax and new syntax with a password created with encrypted password created in the lsnrctl utility.

now I am confused!

cheers

Pete
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 7th, 2006, 7:48am
Pete,

I'm not using the encrypted hash. Blabla is the password and in my listener.ora :


Code:
#----ADDED BY TNSLSNR 17-NOV-2005 16:24:24---
PASSWORDS_LISTENER = 7A4254300EF15B8E
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jan 7th, 2006, 9:58pm
Hi Ivan,

This is interesting as on 9iR2 it is not possible to use the old syntax with a password that has been created with the change_password command:

<code>
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=zulia)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=zulia)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File   C:\oracle\ora90\network\admin\listener.ora
Old Parameter File   C:\oracle\ora90\network\admin\listener.bak
The command completed successfully
LSNRCTL>
</code>

I used blabla as the password:

<code>
#----ADDED BY TNSLSNR 07-JAN-2006 21:53:17---
PASSWORDS_LISTENER = 6F8678E5C62FA54D
#--------------------------------------------
</code>

now:

<code>
C:\>lsnrctl

LSNRCTL for 32-bit Windows: Version 9.2.0.1.0 - Production on 07-JAN-2006 21:56:
14

Copyright (c) 1991, 2002, Oracle Corporation.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set password blabla
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=zulia)(PORT=1521)))
TNS-01169: The listener has not recognized the password
LSNRCTL>
</code>

It fails to use the old clear text syntax for an encrypted password. It looks like Oracle have enhanced 10g to allow either syntax to work with a password passed in clear text where it is an encrypted password.

This is good as it means it is possible to script stop scripts if you use a password and not the local authentication.

nice find Ivan,

cheers

Pete
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jun 30th, 2006, 9:21pm
Ok, here's something REALLY scary in 9.2.0.7 (and earlier)


The "encrypted" password works as a clear text password too...

This works...
set password [encryptedpassword]

And, This works...
set password
Password: [clear password]
status
stop


So, simple scripting...

PW=`egrep "PASSWORDS_LISTENER .*=" $ORACLE_HOME/network/admin/listener.ora | cut -f2 -d "="`

lsnrctl << !EOF
set password $PW
status
stop
!EOF

That works.

The reverse is not true:

This does not work:
set password [clearpassword]

Neither does this:
set password <cr>
Password: [encrypted pw]


This all works remotely too, which is VERY very scary and makes things no more secure than using a password in listener.ora in the clear....

I'm guessing that the hash and the clear password are symetrical keys -- which means that either the password in the clear can be used with:

set password<cr>
Password: [clear password]

Or
set password <encrypted password>

So, if you can get the encrypted password or the clear password from listener.ora, you can shutdown and change things (including spawn and other bad behaviors).


What am I missing here?  Is this a known Oracle issue?
Title: Re: Stopping a passworded listener via unix script
Post by Pete Finnigan on Jul 2nd, 2006, 7:51pm
Hi,

Yes this is a well known issue for some time. I talked about it earlier in this thread. The password is not symetrical with the hash, the algorithm used is also known and is the same as else where in the Oracle database.

The reason the hash works is that there are 2 mechanisms implemented. The original one where the password was stored in the listener.ora still works and this bug is simply that the database thinks that the password is stored in the config file and it reads the hash as though it was a clear text password.

This has been reported to Oracle but still not fixed.

cheers

Pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board