Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> valid listener passwords
(Message started by: Pete Finnigan on Nov 17th, 2005, 3:13pm)

Title: valid listener passwords
Post by Pete Finnigan on Nov 17th, 2005, 3:13pm
Hi,

has anyone tested the complete character set for use on listener passwords. I could not find a valid list of characters to use with a quick search. I assume ascii, digits and _#$ are definites. I just tested a password of "!a" without quotes and it works fine but without exhaustive checks its difficult to validate completely. from this quick check it seems any character from the keyspace is valid. Anyone checked?

cheers

Pete

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 17th, 2005, 9:32pm
Hey Pete,
I've confirmed on my listener - all characters seem ok.
HTH,
David

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 17th, 2005, 10:37pm
Thanks for that David, I guessed that the listener accepted the whole character set from my simple test.

Don't you think that its time for Oracle to add some password mangement features to the listener, at least the same features that are provided with the database users or at least a failed_login_attempts parameter?

It would not be a bad idea to extend strong authentication to the listener as well?

cheers

pete

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 18th, 2005, 2:23am
I'm always up for strengthening procedures but as most of the listener "functionality" has been restricted to localhost on 10g is the extra protection worth it? If I had control of Oracle's security dev budget I could think of better places to spend it ;)
Cheers,
David

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 18th, 2005, 8:33am
David,

Alex Kornbrust found out that the local OS authentication of the listener (10G) can be circumvented. See Oracle bugid 6454409. His advice, for the time needed to fix the bug (and that can take years as we know) I suppose, is to disabled local OS authentication and use a strong password instead.
Reverting to a listener password allows remote users to guess for the password and if found a remote user can use commands like STATUS, SERVICES. Those commands could be used by a worm.
In this light don't you still think it's not worth to spend extra efforts in strengthing the listener password features?

Ivan

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 18th, 2005, 11:40am
I was also aware of the local listener authentication bypass. In fact if you look at the Oracle voyager worm source code recently released it demonstrates how this is possible remotely. I can see your point about budgets but the listener should have some mechanism to lockout after or rather during brute force atempts at least.

cheers

Pete

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 18th, 2005, 12:33pm
Ivan,
Metalink is showing nothing for this bug ID - probably been "hidden". Are you saying that a remote user can access listener functionality over the network again? Or are you saying a local user can influence the listener? If the former - then I'd be interested to know more if you have the details. If the latter then don't worry.
Cheers,
David

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 18th, 2005, 12:40pm
David,

I don't have details about this bug. But Alex will probably read this and react. Otherwise you can contact him directly.

Ivan

Title: Re: valid listener passwords
Post by Pete Finnigan on Nov 19th, 2005, 4:00pm
By now everybody probably knows that you can use the encrypted representation of the password in listener.ora instead of the password itself. So at least the characters Oracle uses to encrypt the listener password are valid...

If Oracle is to improve anything in the password handling of the listener, then this should be the first thing to fix. This is the only implementation of a password mechanism I know that allows to use the encrypted representation in place of the original password.
This is quite dangerous, because on many systems listener.ora must be world readable, because the monitoring processes must be able to read the listener configuration.

Title: Re: valid listener passwords
Post by Pete Finnigan on Dec 15th, 2005, 5:14am
Hey  maol,

I'm not sure I understand your concerns.

To password protect the tns listener, the listener must store either the password or it's hashed value somewhere.

That somewhere will most likely have to be a disk file on the host where the listener runs.

If this file is not protected, i.e. owned by oracle and accessible only to oracle (chmod 600), you have already lost the keys to the kingdom.

The argument about monitoring system requiring access to the file is not valid in my opinion; this is like arguing that because the security service will be making a nightly round at your workplace (to check for lights left on and other things) you must leave the door key under the door mat.  
NO - that not what you do, - you give the security service their own key!

Just imagine trying to convince your unix admin to make /etc/shadow world readable because you need to 'monitor' something...




Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board