如何使用加密密码验证 Oracle 登录
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17807188/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to authenticate Oracle login using encrypted password
提问by Raghav
We are connecting to Oracle using KornShell (ksh) scripts, which use SQL*Plus to connect to Oracle. The Oracle database is on the same Solaris box. Currently, we are storing Oracle user id and password (plain text) in a file in the .ssh folder of the connecting user, with 400 permission bits.
我们使用 KornShell (ksh) 脚本连接到 Oracle,该脚本使用 SQL*Plus 连接到 Oracle。Oracle 数据库位于同一个 Solaris 机器上。目前,我们将 Oracle 用户 ID 和密码(纯文本)存储在连接用户的 .ssh 文件夹中的一个文件中,具有 400 个权限位。
The DBAs are objecting to this way of working, citing the fact that we are using plain text password for authentication. When we offered that we would encode the password using base64, they still did not like the idea, citing that we would still decrypt the password in the shell script and transmit the password over network.
DBA 反对这种工作方式,理由是我们使用纯文本密码进行身份验证。当我们提出我们将使用 base64 编码密码时,他们仍然不喜欢这个想法,理由是我们仍然会在 shell 脚本中解密密码并通过网络传输密码。
Now, I want to understand this-
现在,我想明白这一点——
I have been reading that Oracle encrypts/hashes the password string, before transmitting it. I can not find the reference right now though, however, I still want to confirm my understanding. Is it really like this? We are on 11g r2, would that make a difference?
Would I be able to login to SQL*Plus without decrypting the password hash? e.g., DBAs set a password, pass on the hash to me. I put that in a file, and supply to SQL*Plus as a parameter. Is there some way by which this kind of authentication work? I know some tools do allow that, if you encode using their tool, they are able to decrypt the value and use it for authentication. Does Oracle?
我一直在读到 Oracle 在传输密码字符串之前加密/散列它。我现在找不到参考资料,但是,我仍然想确认我的理解。真的是这样吗?我们使用的是 11g r2,这会有所不同吗?
我能否在不解密密码哈希的情况下登录到 SQL*Plus?例如,DBA 设置密码,将哈希传递给我。我把它放在一个文件中,并作为参数提供给 SQL*Plus。这种身份验证有什么方法可以工作吗?我知道有些工具确实允许这样做,如果您使用他们的工具进行编码,则他们能够解密该值并将其用于身份验证。甲骨文吗?
Help me fellas.
伙计们帮帮我。
回答by tbone
Its been a while since doing this (and I don't have a linux box handy atm), but you can trythis to hide details from ps:
自从这样做以来已经有一段时间了(而且我没有一个方便的 linux 盒 atm),但是您可以尝试使用它来隐藏 ps 的详细信息:
echo password | sqlplus -s username@database @myscript.sql
Note that -s is silent mode for sqlplus. I believe you can also put the password in a "protected" file (I use the term loosely, but set bits to 400) and cat the file, piping to sqlplus as above.
请注意,-s 是 sqlplus 的静默模式。我相信你也可以把密码放在一个“受保护的”文件中(我使用这个术语松散,但将位设置为 400)并将文件 cat ,管道到 sqlplus 如上所述。
Edit: If the DBAs are really concerned with passwords, then how about using NO passwords. You can try OS authentication, but you need some setup first. For example:
编辑:如果 DBA 真的关心密码,那么不使用密码如何。您可以尝试操作系统身份验证,但您需要先进行一些设置。例如:
--in Oracle, create new user
--在Oracle中,创建新用户
create user ops$batch_user IDENTIFIED EXTERNALLY;
grant connect to ops$batch_user;
-- in Unix (login as batch_user, or use su command)
-- 在 Unix 中(以 batch_user 身份登录,或使用 su 命令)
export ORACLE_HOME=/app/oracle/product/11.2
export PATH=$PATH:$ORACLE_HOME/bin
export ORACLE_SID=DEV
sqlplus /
Note that no passwords are used since the user is authenticated by the os. This is less complicated than Oracle wallet imo, but not perfect either.
请注意,没有使用密码,因为用户已通过 os 进行身份验证。这比 Oracle wallet imo 简单,但也不完美。
回答by ThinkJet
You can use Oracle Walletsfor DB authentication.
您可以使用Oracle Wallets进行数据库身份验证。
Example of tuning may be found here.
可以在此处找到调整示例。
回答by Devolus
How exactly are you connecting to the db? If you use sqlplus user/password@databasefrom your commandline/script then you indeeed have a problem. The reason is, that you can easily see the password with the pscommand.
你究竟是如何连接到数据库的?如果您sqlplus user/password@database从命令行/脚本中使用,那么您确实有问题。原因是,您可以使用ps命令轻松查看密码。
Obfuscating it with Base64is not really an encryption, because Base64is a known algorithm for transfering binary data over the wire. This might baffle some, but certainly is not a safe way of sending a password.
混淆它Base64并不是真正的加密,因为这Base64是一种通过网络传输二进制数据的已知算法。这可能会让一些人感到困惑,但肯定不是发送密码的安全方式。
What I do in this case, to avoid the password being shown int he process list, is that I write the password to a textfile with read only permission for the local user. Then I run sqlplus with nohup or in the background sqlplus user@db < pwdfileand immediately delete the file again.
在这种情况下,为了避免在进程列表中显示密码,我所做的是将密码写入具有本地用户只读权限的文本文件。然后我用 nohup 或在后台运行 sqlplussqlplus user@db < pwdfile并立即再次删除该文件。
