-1

We are connecting to Oracle using korn shell scripts, which use sqlplus to connect to Oracle. The Oracle database is on the same Solaris box. Currently, we are storing the Oracle user id and password (plain text) in a file in the .ssh folder of the connecting user, with 400 permission bits.

The DBAs are objecting to this way of working, citing the fact that we are using plain text password for authentication. When we offered that we'd encode the password using base64, they still didn't like the idea, citing that we'd still decrypt the password in the shell script and transmit the password over the network.

Now, I want to understand this-

  1. I have been reading that Oracle encrypts/hashes the password string, before transmitting it. I can't find the reference right now though, however, I still want to confirm my understanding. Is it really like this? We are on 11g r2, would that make a difference?

  2. Would I be able to log in to sqlplus without decrypting the password hash? e.g. DBAs set a password, pass on the hash to me. I put that in a file, and supply to sqlplus as a parameter. Is there some way by which this kind of authentication work? I know some tools do allow that, if you encode using their tool, they are able to decrypt the value and use it for authentication. Does Oracle??

schroeder
  • 123,438
  • 55
  • 284
  • 319
Raghav
  • 107
  • 1
  • 1
  • 2

2 Answers2

2

BASE64 is as bad as plaintext and does not offer any security. Your DBAs are also wrong stating that hashing the password before it's sent will solve the issue as you can just perform a pass-the-hash like attack (I'm not even sure Oracle supports something like that). Both approaches would allow for people on the network to gain access to the database (it doesn't matter if you pass a hash or a password, you can caputure it and re-use it).

I see two problems:

  1. You are storing the password in your script. You should be storing the password in a password manager and make your script request for the password on each run. If it's an automated process then you need to store it plaintext in your script. There is unfortunately no other way to store it. (People argue that you can encrypt and decrypt it in your code or use some encoding schemes like BASE64, but in the end it would be trivial to retrieve and de-obfuscate your password if you get access to the script)
  2. The second major issue is that you are sending everything over a plain connection. You should configure SSL/TLS for your machine so that before sending everything over the network, a secure end-to-end connection (Refer to the Oracle documentation). This will prevent eavesdroppers from viewing your connection and see if a password is being sent over the network.
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
2

Look into Secure External Password Store section here.

Basically, you setup a client-side Oracle wallet, save user, password, and TNS alias.

Then your script will connect to the database as:

sqlplus /@tns_alias @my_script.sql

I hope it helps, Ed

schroeder
  • 123,438
  • 55
  • 284
  • 319
user28634
  • 21
  • 1