we have Glovia on Solaris with Oracle as the database and we have a central environment variable file that is called whenever a user logs in.
currently the glovia user password is visible in plain text .. is there any way to secure it like the way the password appears in /etc/passwd?
thanks.
Click the link below to see the new game I'm developing!
5 replies to this topic
#2
Rob Donovan
-
- Admin
-
- 1,652 posts
rob@proivrc.com
- Gender:Male
- Location:Spain
Posted 07 November 2005 - 07:04 PM
Hi,
There is no way to secure it when you set SQL_USERNAME and SQL_PASSWORD.
You will have to change to use O/S Authenication in Oracle.
Then Oracle uses your unix login to verify authentication.
Which means you dont need to store the password anywhere.
Rob D.
There is no way to secure it when you set SQL_USERNAME and SQL_PASSWORD.
You will have to change to use O/S Authenication in Oracle.
Then Oracle uses your unix login to verify authentication.
Which means you dont need to store the password anywhere.
Rob D.
#3
Joseph Bove
-
- Members
-
- 756 posts
ProIV Guru
- Gender:Male
- Location:Ramsey, United States
Posted 08 November 2005 - 03:29 AM
RTC,
One of our very security conscious clients embedded the plain text password in such a fashion that it is hidden from the user's environment and written in a file that none but root have access to. (I forget if they specifically wrote it into /etc/pro4.ini or a different file.)
Any how, they were not able to encrypt the password, but were reasonably comfortable with their solution. If you want, I can get more specific details from them.
Regards,
Joseph
One of our very security conscious clients embedded the plain text password in such a fashion that it is hidden from the user's environment and written in a file that none but root have access to. (I forget if they specifically wrote it into /etc/pro4.ini or a different file.)
Any how, they were not able to encrypt the password, but were reasonably comfortable with their solution. If you want, I can get more specific details from them.
Regards,
Joseph
#4
Rob Donovan
-
- Admin
-
- 1,652 posts
rob@proivrc.com
- Gender:Male
- Location:Spain
Posted 08 November 2005 - 06:38 AM
Hi Joseph,
I would be interested to know about that.
Does it cope with me not being able to just shell out of ProIV to UNIX and then just look at the SQL_PASSWORD var?
Rob D.
I would be interested to know about that.
Does it cope with me not being able to just shell out of ProIV to UNIX and then just look at the SQL_PASSWORD var?
Rob D.
#6
Richard Bassett
-
- Members
-
- 707 posts
ProIV Guru
- Gender:Not Telling
- Location:Rural France
Posted 08 November 2005 - 10:54 AM
Also, if you're using Oracle and comfortable writing C/Oracle code (I appreciate this won't apply to most) then you can set the SQL_ENABLE_ORAPROC environment variable (I think I have that right) and the ProIV kernel will hand control of the database connect processing to your C code - then of course you can use whatever technique you want to acquire a password.
Nothing's as simple as you think
Reply to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
Click the link below to see the new game I'm developing!
