Jump to content


Photo
- - - - -

secure SQL_PASSWORD environment variable?


5 replies to this topic

#1 RTC

RTC

    Member

  • Members
  • PipPip
  • 15 posts
  • Gender:Male

Posted 07 November 2005 - 04:03 PM

we have Glovia on Solaris with Oracle as the database and we have a central environment variable file that is called whenever a user logs in.

currently the glovia user password is visible in plain text .. is there any way to secure it like the way the password appears in /etc/passwd?

thanks.

#2 Rob Donovan

Rob Donovan

    rob@proivrc.com

  • Admin
  • 1,640 posts
  • Gender:Male
  • Location:Spain

Posted 07 November 2005 - 07:04 PM

Hi,

There is no way to secure it when you set SQL_USERNAME and SQL_PASSWORD.

You will have to change to use O/S Authenication in Oracle.

Then Oracle uses your unix login to verify authentication.

Which means you dont need to store the password anywhere.

Rob D.

#3 Joseph Bove

Joseph Bove

    ProIV Guru

  • Members
  • PipPipPipPipPip
  • 756 posts
  • Gender:Male
  • Location:Ramsey, United States

Posted 08 November 2005 - 03:29 AM

RTC,

One of our very security conscious clients embedded the plain text password in such a fashion that it is hidden from the user's environment and written in a file that none but root have access to. (I forget if they specifically wrote it into /etc/pro4.ini or a different file.)

Any how, they were not able to encrypt the password, but were reasonably comfortable with their solution. If you want, I can get more specific details from them.

Regards,

Joseph

#4 Rob Donovan

Rob Donovan

    rob@proivrc.com

  • Admin
  • 1,640 posts
  • Gender:Male
  • Location:Spain

Posted 08 November 2005 - 06:38 AM

Hi Joseph,

I would be interested to know about that.

Does it cope with me not being able to just shell out of ProIV to UNIX and then just look at the SQL_PASSWORD var?

Rob D.

#5 RTC

RTC

    Member

  • Members
  • PipPip
  • 15 posts
  • Gender:Male

Posted 08 November 2005 - 10:51 AM

Rob,

we will explore O/S authentication in Oracle.


Joseph,

yes details please. i am curious on how they were able to hide the environment file.


thanks

RTC

#6 Richard Bassett

Richard Bassett

    ProIV Guru

  • Members
  • PipPipPipPipPip
  • 696 posts
  • Location:Rural France

Posted 08 November 2005 - 10:54 AM

Also, if you're using Oracle and comfortable writing C/Oracle code (I appreciate this won't apply to most) then you can set the SQL_ENABLE_ORAPROC environment variable (I think I have that right) and the ProIV kernel will hand control of the database connect processing to your C code - then of course you can use whatever technique you want to acquire a password.
Nothing's as simple as you think



Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users