Pluggable and externally identified users without using remote authentication

Yesterday I was shocked to find a note on metalink that recommends a huge security hole using a deprecated Parameter 2042219.1 : create user c##oracle identified externally + set remote_os_authent=true This is extremly sad. It is such a non-sense to recommend such a flaw. It makes me really angry 👿 Okay, for my readers I… Continue reading Pluggable and externally identified users without using remote authentication

ODBC and EZCONNECT or my way out of active directory

The traditional way of connecting Excel (or Access) to Oracle (and other databases) is to use ODBC and TNSNAMES. You install an Oracle client, you create a connection and specify your tnsnames connection alias as server, here below DB01 tnsnames.ora DB01 = (DESCRIPTION= (ADDRESS= (PROTOCOL=TCP)(host=srv01)(Port=1521) ) (CONNECT_DATA= (SERVICE_NAME=DB01) ) ) But the file is often… Continue reading ODBC and EZCONNECT or my way out of active directory

Connect to ActiveDirectory with ldapsearch on Unix

In ancient times, ldapsearch could query ActiveDirectory without issues. In this examples, I used openldap client 2.4. Other tools may have other parameters. $ ldapsearch -H ldap:// -b dc=example,dc=com cn=”Laurent C. Schneider” mail mail: In Active Directory (AD) it is no longer the default since Windows Server 2003, unless you change dSHeuristics to 0000002… Continue reading Connect to ActiveDirectory with ldapsearch on Unix

Audit pluggable database

In the old now-deprecated maybe-soon-desupported non-cdb infrastructure, AUDIT’ing was done right after connect / as sysdba. In single-tenant (or multi-tenant), things get complicated. Once again, the doc must be read at least twice 😉 If you issue an audit statement in the root, then the database performs auditing across the entire CDB, that is, in… Continue reading Audit pluggable database

Privileges on a view

Granting too many privileges on a view could be disastrous. A view is often used as a security element; you grant access to only a subset of columns and rows to one user. Mostly only SELECT. If you want to grant update to only some rows, the security could be enhanced with the WITH CHECK… Continue reading Privileges on a view

powershell code signing

Unix users don’t use this. Maybe some java developers do. But no Unix sysadmins. Never. On Windows, things are getting more secure every release, especially if you pay attention to those details. In Unix, if I have a script called “getdate” which shows me the date, I can copy it to another machine. $ cat… Continue reading powershell code signing

disallow pseudo terminal in ssh

Some Oracle documentation wants you to setup ssh with no password and no passphrase. Configuring ssh This is not really something your security admin will like. First, using DSA, which is deprecated and disabled by default in OpenSSH 7.0, is a pretty dump instruction OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key… Continue reading disallow pseudo terminal in ssh

default listener port

Long time ago, Maxime Yuen registered 1521 for nCube License Manager. By googling I found : Ellison cleans house at nCube, and since them 1521 has been used as a default port for Oracle. Still, you’ll see nCube in IANA.ORG service names port numbers and in /etc/services the nCube name. I don’t know which one… Continue reading default listener port

generate safe passwords

This is probably ambitious and I’ll start with a disclaimer, there is no such thing. But ok, we know that system/manager isn’t Apart from system/manager, there are hundreds of weak passwords that are commonly used and easy to guess. On your database server, after a few tries, the account is lock. And maybe the attacker… Continue reading generate safe passwords

Generate 11g password hash

An easy way to generate a value string from the ssl is to use openssl Let’s take a random salt of ABCDEFGHIJ. The length of 10 is important. The hexadecimal representation is -41-42-43-44-45-46-47-48-49-4A- $ echo “SafePassw0rDABCDEFGHIJ\c” | openssl dgst -sha1 (stdin)= 47cc4102144d6e479ef3d776ccd9e0d0158842bb With this hash, I can construct my value SQL> create user testuser identified… Continue reading Generate 11g password hash

Categorized as dba, security

list database monitoring users

I am quite familiar with the SYSMAN tables but this one required me some googling beyond the Oracle documentation. The list of targets in your Oracle Enterprise Manager is in SYSMAN.MGMT_TARGETS. Each database target is monitored by a database user, typically DBSNMP. To retrieve this information, you need some to hijack your database, read this… Continue reading list database monitoring users

Untrusted X11 forwarding

I wrote a while ago about my security concerns regarding xhost + xterm -display mypc:0 Way back then, I suggested ssh tunnel. SSH is pretty easy to set up, by enabling the X11Forwarding option. In OpenSSH 3.8 release note, 2004, there was a new default . ssh(1) now uses untrusted cookies for X11-Forwarding In the… Continue reading Untrusted X11 forwarding

run sudo, ssh, password, su in simulated interactive mode

Some commands do not like non-interactive mode $ passwd newpassword > newpassword > EOF Changing password for user lsc. Current password for passwd: Authentication token manipulation error $ echo oraclepassword | su – oracle standard in must be a tty $ echo sudopassword | sudo su – oracle [sudo] password for lsc: sudo: sorry,… Continue reading run sudo, ssh, password, su in simulated interactive mode

switch user in Oracle

Almost a decade ago I wrote about su in sqlplus. This 10gR2 “new” feature allows delegation à la sudo. By checking the DBA_USERS in 12c I found PROXY_ONLY_CONNECT. According to Miguel Anjo, there is a secret syntax for allowing only the proxy user. SQL> ALTER USER app_user PROXY ONLY CONNECT; SQL> CONNECT app_user/xyz ERROR:ORA-28058: login… Continue reading switch user in Oracle

SSL with PKCS12 truststore

Many many moons ago I vaguely remember having a similar issue with java keystore / truststore and microsoft certificates stores. When you start using SSL for your listener, you could potentially face a large number of issues amoung your toolsets. In my opinion, the most disastrous one is that you cannot monitor your database with… Continue reading SSL with PKCS12 truststore

anonymous cypher suites for SSL (and a 12c pitfall)

If you configure your listener for encryption only, you do not really need authentication. It works pretty fine until, I wrote multiple posts on ssl. You add SSL_CLIENT_AUTHENTICATION=FALSE to your server sqlnet.ora and listener.ora and specify an “anon” cipher suite in your client. You do not need to validate the certificate, so a default… Continue reading anonymous cypher suites for SSL (and a 12c pitfall)

poor man ActiveDirectory password checker

To have the same users in multiple databases and no single sign on is quite a nightmare for password expiration, synchronisation and validation. You probably were discouraged by the long long route to kerberos, where the bugs are fixed in, the 12.1 bugs are fixed in 12.2. And lot’s of system changes that… Continue reading poor man ActiveDirectory password checker

ssl version

I wrote about ssl version in jdbc thin yesterday The default version also no longer works for the thick client with 12c client and 11g Server. With 11gR2 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows: Version OK (100 msec) with 12cR1 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows:… Continue reading ssl version

TCPS and SSLv2Hello

Thanks to platform independence, the same java code work on different platforms. import java.util.Properties; import; import java.sql.*; import*; public class KeyStore { public static void main(String argv[]) throws SQLException { String url=”jdbc:oracle:thin:@(DESCRIPTION=”+ “(ADDRESS=(PROTOCOL=TCPS)(Host=SRV01)(“+ “Port=1521))(CONNECT_DATA=(SID=DB01)))”; Properties props = new Properties(); props.setProperty(“user”, “scott”); props.setProperty(“password”, “tiger”); props.setProperty(“”, “keystore.jks”); props.setProperty( “”,”JKS”); props.setProperty( “”,”***”); DriverManager.registerDriver( new oracle.jdbc.OracleDriver()); Connection… Continue reading TCPS and SSLv2Hello

check if using tcps part II

in your current session, as written there, check sys_context(‘USERENV’, ‘NETWORK_PROTOCOL’) in another session, you could grab some hints out of the network service banner. Do the maths, when it is not-not using ssl, it probably is… select sid,program, case when program not like ‘ora___@% (P%)’ then (select max(case when NETWORK_SERVICE_BANNER like ‘%TCP/IP%’ then ‘TCP’ when… Continue reading check if using tcps part II

The long long route to Kerberos

If you want to single-sign-on to your database with your Windows credentials, be aware, it is hard! But the benefit is quite valuable, no more saved password on the client, central password management and user expiration, compliance to the security guidelines, and at no extra cost Landscape for my setup One PC with Windows (PC01.EXAMPLE.COM)… Continue reading The long long route to Kerberos

Do you really need ASO?

If you only use the Advanced Security Option for SSL, you may not need to pay for it ! License 11.2 When used with Oracle Real Application Clusters, Oracle Advanced Security SSL/TLS is included. But also License 11.1 Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no… Continue reading Do you really need ASO?

encrypt with openssl

I want to avoid cleartext password on my filesystem I encrypt my password with a secret key echo tiger | openssl enc -aes-256-cbc -k MyKey -out $HOME/myconfig Whenever I call a script, I pass the secret key sqlplus scott/$(openssl enc -d -aes-256-cbc -k MyKey -in $HOME/myconfig) Of course you still need the key {MyKey}, but… Continue reading encrypt with openssl