Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Jan 22nd, 2019, 10:58am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   listener password
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: listener password  (Read 3338 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
listener password
« on: Dec 2nd, 2005, 3:04pm »
Quote | Modify

hey pete,
i have two questions for you, i am a newbie in the business and i am dealing with oracle security.  
 
here s my question:
did oracle do anything about the listener password(or its hash, you can login with both), traveling with all of the listener commands?  
 
another question:
can a new kind of authentication scheme applied on top of oracle listener, in which authentication is done without sending the password, or hash; instead a one-time session key?
 
thanks in advance,
emre cakir
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: listener password
« Reply #1 on: Dec 4th, 2005, 9:32pm »
Quote | Modify

Hi,
 
In answer to your first question. It is fixed in 10g at least and i believe in 9.2.0.X (not sure which "X" now though - would need to check).  
 
I am not sure what you are asking in your second question. I think you mean is it possible to enhance the listener authentication. Do you mean us? the users and customers of Oracle or do you mean for Oracle themselves to do it?
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: listener password
« Reply #2 on: Dec 5th, 2005, 2:12pm »
Quote | Modify

thanks for your attention, regarding my second question, i mean us the customers, i know that there are ways to authenticate users without requiring them so send their passwords through network, and it can be applied on top of vulnerable tns listeners, i guess.
 
thanks again,
have a good day.
emre cakir
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: listener password
« Reply #3 on: Dec 5th, 2005, 6:09pm »
Quote | Modify

Hi,
 
I am not sure how you could change the authentication process yourself for the listener but you can use network encryption between admin terminals that send the password to the listener and the listener itself. You can use Oracle ASO or free solutions such as OpenSSH. Of course you cannot protect every connection to the listener like this but you don't need to. You only need to protect the legitimate ones and then limit network traffic so that it can only come into the listener from those.  
 
hth
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: listener password
« Reply #4 on: Dec 6th, 2005, 7:27am »
Quote | Modify

i see what you mean, openSSH + connection manager (or valid node checking)
 
thx a lot,  
cakir
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: listener password
« Reply #5 on: Dec 6th, 2005, 12:14pm »
Quote | Modify

on Dec 4th, 2005, 9:32pm, Pete Finnigan wrote:
It is fixed in 10g at least and i believe in 9.2.0.X (not sure which "X" now though - would need to check).  

At least it isn't fixed in Windows platform. I tested it on 9.2.0.7 and CPUOCT05 applied. Undecided
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: listener password
« Reply #6 on: Dec 6th, 2005, 8:20pm »
Quote | Modify

Hi,
 
Thanks for the update, I was not 100% sure it was fixed in 9i but I thought that I had seen it fixed  - I might have been wrong though. Thanks for confirming that its still a bug at least on Windows.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board