Databases Reference
In-Depth Information
0040 78 00 65 00 63 00 20 00 73 00 70 00 5f 00 70 00 x.e.c. . s.p._.p.
0050 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 20 00 a.s.s.w. o.r.d. .
0060 27 00 70 00 61 00 73 00 73 00 77 00 6f 00 72 00 '.
p.a.s. s.w.o.r.
0070 64 00 27 00 2c 00 20 00 27 00 6e 00 33 00 77 00
d.
'.,. . '
.n.3.w.
0080 70 00 32 00 73 00 73 00 77 00 34 00 72 00 64 00 p.2.s.s. w.4.r.d.
0090 27 00 0d 00 0a 00 '.....
The same is true for Oracle; executing:
alter user scott identified by n3wp2ssw4rd;
generates the following network communication:
0000 00 10 db 46 3e 74 00 0d 56 b2 05 34 08 00 45 00 ...F>t.. V..4..E.
0010 00 ef d3 f4 40 00 80 06 a1 07 c0 a8 01 a8 c0 a8 ....@... ........
0020 02 14 11 fd 05 f1 f6 eb c8 8f 53 01 76 42 50 18 ........ ..S.vBP.
0030 f6 ba 2c 7c 00 00 00 c7 00 00 06 00 00 00 00 00 ..,|.... ........
0040 11 69 20 b0 3f e1 00 01 00 00 00 02 00 00 00 03 .i .?... ........
0050 5e 21 21 80 00 00 00 00 00 00 f0 99 e2 00 2a 00 ^!!..... ......*.
0060 00 00 d8 de e1 00 0c 00 00 00 00 00 00 00 08 df ........ ........
0070 e1 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 ........ ........
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0090 00 00 00 00 00 00 0a df e1 00 cc 9d e2 00 00 00 ........ ........
00a0 00 00 2a 61 6c 74 65 72 20 75 73 65 72 20 73 63 ..*
alter user sc
00b0 6f 74 74 20 69 64 65 6e 74 69 66 69 65 64 20 62
ott iden tified b
00c0 79 20 6e 33 77 70 32 73 73 77 34 72 64 01 00 00
y n3wp2s sw4rd
...
00d0 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00e0 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 ........ ........
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ .....
Chapter 10 shows you how you can protect yourself from this type of
vulnerability by encrypting the communications stream.
Also, if you are
using operating system authentication, you can avoid this database issue
because the password change does not really occur by communicating with
the database—it happens at the operating system level.
Let's go back to Windows authentication in Oracle. You now understand
how the client connects to the server and how the server uses the Windows
APIs for authentication. The next step in terms of the sign-on process is for
the server to associate the authenticated user with an Oracle user. If I have an
operating system user called ronb, for example, I would use:
CREATE USER "OPS$RONB\WORKGROUP" IDENTIFIED EXTERNALLY;
IDENTIFIED EXTERNALLY
tells Oracle that authentication is done outside
the database, and that's why I don't need to specify a password when doing
so. The
OPS$
is the prefix defined by the
os_authent_prefix
attribute men-
tioned a few paragraphs ago. One of the advantages of this approach is that
you would never change this user's passwords using
ALTER USER
—you
would change the password in Windows.
Search WWH ::
Custom Search