Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> using passwords for 10g listeners
(Message started by: Pete Finnigan on Jul 10th, 2006, 5:07pm)

Title: using passwords for 10g listeners
Post by Pete Finnigan on Jul 10th, 2006, 5:07pm
According to metalink note 260986.1:

"In Oracle 10, the TNSListener is secure out of the box and there should not be a need to set a listener password as in older versions of the Oracle listener.
The 10g listener now uses local OS authentication. "

Just wondering what people think about this. Do you still think a password is necessary? I know that Pete recommends running the listener under a different user but we are not doing that as of now.

Thanks.
Joe

Title: Re: using passwords for 10g listeners
Post by Pete Finnigan on Jul 13th, 2006, 7:32pm
Hi Joe,

The use of a password on the listener on 10g is a matter for risk assessment. To use a password you can turn off the local authentication using an undocumented parameter. The need for a password is because of the fact that it is possible to bypass the local authentication remotely or more accuratley remotely take advantage of the local authentication to gain access to the listener without the need to get the password.

This is because it is possible to write TNS packets directly in PL/SQL that execute on the server. An example can be found in the voyager worm source code.

Using a different OS user for the listener is recommended if extproc is needed.

hth

cheers

Pete



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board