Hide Password in SQL Plus
Alexander Lyakhovetsky
We are using sqlplus in shell scripts. In order to connect to a
database, we have to pass connect string but password becomes visibale
if you run ps command. Is there any way to hide password from ps
command?
Here is a couple of lines from our script.
CONNECT=dbid/password
sqlplus $CONNECT
Thanks, Alex
Garry M. Filimonov
Alexander Lyakhovetsky <al...@wwa.com> wrote in article <3238C8...@wwa.com>...
A-HA !!! Do u try it?
--
G'luck !
-----------------------------------------
Garry M. FIlimonov
LASU TRINITI, Troitsk, MO, Russia
ga...@triniti.troitsk.ru
Pankaj Soni
Yes, make a clone ps called psa. Let ps be a sed script
which replaces "xyz/xyz" from output of psa with "**/**".
Ivan Samuelson
On Thu, 12 Sep 1996 21:36:41 -0500, Alexander Lyakhovetsky <al...@wwa.com>
wrote:
>We are using sqlplus in shell scripts. In order to connect to a
>database, we have to pass connect string but password becomes visibale
>if you run ps command. Is there any way to hide password from ps
>command?
>
>Here is a couple of lines from our script.
>
>CONNECT=dbid/password
>sqlplus $CONNECT
>
>
I'm assuming since you said "shell script", that you're using UNIX.
One way to do it is this:
1) Put the password into a text file. Do a chmod 0400 on it so that only
the owner can read it. In our example, call it password.txt.
2) In the shell script, call SQLPLUS and your SQL script as follows:
sqlplus (username) @sql_script < password.txt
Another way you can do it doesn't depend on what OS your running on. You can
have the username and password at the top of your sql script and call SQLPLUS as
follows:
sqlplus @sql_script
The rest of your scrip follows the username and password.
Hope this helps!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ivan Samuelson, Consultant * LET 'ER RIP! GO HORSE!
Profound Consulting * bol...@indy.net
http://www.indy.net/~profound * http://chaos.taylored.com/home/bolski/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ian Parkin
Pankaj Soni (ps...@amp.com) wrote:
: Yes, make a clone ps called psa. Let ps be a sed script
IMHO altering a system wide tool such as 'ps' is summat of a hack and is not
desirable.
#1 - Consider ops$ accounts
#2 - Use what Unix gives you :
--snip--
#!/bin/sh
sqlplus << !
user/password
DML/DDL/stuff goes here
exit
!
exit 0
--snip--
#3 Use Oraperl.
IAP
Parris Geiser
Alexander,
Don't use this advice. The variable CONNECT will be expanded and seen with ps.
parris
Alexander Lyakhovetsky (al...@wwa.com) wrote:
> We are using sqlplus in shell scripts. In order to connect to a
> database, we have to pass connect string but password becomes visibale
> if you run ps command. Is there any way to hide password from ps
> command?
> Here is a couple of lines from our script.
> CONNECT=dbid/password
> sqlplus $CONNECT
> Thanks, Alex
Don Libes
In article <3238C8...@wwa.com> Alexander Lyakhovetsky <al...@wwa.com> writes:
We are using sqlplus in shell scripts. In order to connect to a
database, we have to pass connect string but password becomes visibale
if you run ps command. Is there any way to hide password from ps
command?
Here is a couple of lines from our script.
CONNECT=dbid/password
sqlplus $CONNECT
For a nice paper on ways to effectively hide passwords, read:
Libes, D., "Handling Passwords with Security and Reliability in
Background Processes", Proceedings of the Eighth USENIX System
Administration Conference (LISA VIII), pp. 57-64, San Diego, CA,
September 19-23, 1994.
http://www.cme.nist.gov/msid/pubs/libes94d.ps
Don
Alvaro H. Buitrago Giraldo
Parris Geiser (par...@duart.esp.bellcore.com) wrote:
: Alexander Lyakhovetsky (al...@wwa.com) wrote:
: > We are using sqlplus in shell scripts. In order to connect to a
: > if you run ps command. Is there any way to hide password from ps
: > command?
: > CONNECT=dbid/password
: > sqlplus $CONNECT
Have you tried with identified by OS??
We have our database users identified externally, and in the init file
have a line with:
os_authent_prefix = ""
So, when the users connect, they use sqlplus /
In this form, only the user in the OS can connect to the database.
Bye
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Alvaro Hernan Buitrago Giraldo ~
~ Lo peor que le pudo pasar a sistemas ~
~ Cuando estes en medio de una gran sombra ~
~ Es por que hay una gran luz cerca ~
~ e-mail: albu...@calvin.univalle.edu.co ~
~ http://calvin.univalle.edu.co/~albuitra ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rune & Gry
Why don't you use std input in script:
sqlplus <<END_OF_INPUT
dbid/password
...
any sql statement
...
exit;
END_OF_INPUT
Don Libes <li...@nist.gov> wrote in article
<s6aloe9...@muffin.nist.gov>...
> In article <3238C8...@wwa.com> Alexander Lyakhovetsky <al...@wwa.com>
writes:
> We are using sqlplus in shell scripts. In order to connect to a
> database, we have to pass connect string but password becomes visibale
> if you run ps command. Is there any way to hide password from ps
> command?
>
Dave Erwin
You can use externally identified account (ops$) or do the following
sqlplus /nolog -- start sqlplus but do not logon
connect username/password -- logon
In article <3238C8...@wwa.com>, Alexander Lyakhovetsky <al...@wwa.com>
wrote:
> We are using sqlplus in shell scripts. In order to connect to a
> database, we have to pass connect string but password becomes visibale
> if you run ps command. Is there any way to hide password from ps
> command?
>
> Here is a couple of lines from our script.
>
> CONNECT=dbid/password
> sqlplus $CONNECT
>
> Thanks, Alex
>
> al...@wwa.com
--
Dave Erwin
Lockheed Martin Missiles & Space
Email: der...@lmsc.lockheed.com
The opinions expressed are those of the author and not necessarily those of the Lockheed Martin Corporation.
Brian M. Biggs
Dave Erwin wrote:
>
> You can use externally identified account (ops$) or do the following
>
> sqlplus /nolog -- start sqlplus but do not logon
> connect username/password -- logon
I used to do this on VMS, but under UNIX it doesn't look like SQL*Plus
supports the /nolog parameter. Anyone else seen this?
I tried to use /nolog so I could put a 'whenever sqlerror exit'
statement in the script, allowing my shell script to trap when my SQL
scripts get errors, including invalid user and password. But I get
inconsistent results.
Thanks,
Brian
--
Brian M. Biggs mailto:bbi...@cincom.com
Cincom Systems, Inc. voice: (513) 677-7661
http://www.cincom.com/
Bill Yuey
Dave Erwin wrote:
>
> You can use externally identified account (ops$) or do the following
>
> sqlplus /nolog -- start sqlplus but do not logon
> connect username/password -- logon
>
> wrote:
>
> > We are using sqlplus in shell scripts. In order to connect to a
> > database, we have to pass connect string but password becomes visibale
> > if you run ps command. Is there any way to hide password from ps
> > command?
> >
> > Here is a couple of lines from our script.
> >
> > CONNECT=dbid/password
> > sqlplus $CONNECT
> >
> > Thanks, Alex
> >
> > al...@wwa.com
>
> --
> Dave Erwin
> Lockheed Martin Missiles & Space
> Email: der...@lmsc.lockheed.com
>
> The opinions expressed are those of the author and not necessarily those of the Lockheed Martin Corporation.
Actually, Oracle Corp. provides a very neat solution to the password
problem. They have a program, called 'hide' which they provide the
source for. You compile it on your system and you when you want to
invoke sqlplus, for instance, you run 'hide sqlplus userid/password'.
The difference is, that when you run a ps, all you see is sqlplus,
without the userid and password displayed. You can rename sqlplus to
something else and create a shell script called sqlplus that calls
hide. That way transparent to the user. Everyone just runs sqlplus
like thye always have. I've done this on HP-UX, and it works fine.
Chris Jones
"Brian M. Biggs" <bbi...@cincom.com> writes:
> Dave Erwin wrote:
> > sqlplus /nolog -- start sqlplus but do not logon
> > connect username/password -- logon
>
> supports the /nolog parameter. Anyone else seen this?
It works for me. The /nolog option is a generic part of SQL*Plus in
command line environments.
--
Christopher Jones, cjo...@au.oracle.com
"The opinions expressed here are my own, and are not necessarily those
of Oracle Corporation."
Paul Tame
one of our 'c' gurus has written a program called _sqlplus which calls
sqlplus in some way as to not generate the command lime on the unix ps
buffer. Everyone then uses sqlplus as an alias to _sqlplus.
Call me off line for more details.
Rgds Paul Tame.
Chuck Hamilton
Chris Jones <cjo...@wishful.au.oracle.com> wrote:
>"Brian M. Biggs" <bbi...@cincom.com> writes:
>> Dave Erwin wrote:
>> > sqlplus /nolog -- start sqlplus but do not logon
>> > connect username/password -- logon
>>
>> I used to do this on VMS, but under UNIX it doesn't look like SQL*Plus
>> supports the /nolog parameter. Anyone else seen this?
>
>It works for me. The /nolog option is a generic part of SQL*Plus in
>command line environments.
>
Or you can just enter everything on the command line except the
password which it'll prompt you for.
Another option is to set the users to IDENTIFIED EXTERNALLY and let
the O/S handle passwords. This only works though if you're using
sqlplus on a password protected client (i.e. Unix, not DOS or
Windows), and the Oracle server also supports external identification
(Unix does, Netware doesn't).
--
Chuck Hamilton
chu...@dvol.com
This message delivered by electronic sled dogs. WOOF!
Brian M. Biggs
Chris Jones wrote:
>
> "Brian M. Biggs" <bbi...@cincom.com> writes:
> > Dave Erwin wrote:
> > > sqlplus /nolog -- start sqlplus but do not logon
> > > connect username/password -- logon
> >
> > I used to do this on VMS, but under UNIX it doesn't look like SQL*Plus
> > supports the /nolog parameter. Anyone else seen this?
>
> It works for me. The /nolog option is a generic part of SQL*Plus in
> command line environments.
I found my problem. We had a LOGIN.SQL that was getting run every time
I logged into SQL*Plus. The first thing it did was set the prompt to
the name of the current database by querying GLOBAL_NAME. If I ran
SQL*Plus with /nolog, I never logged onto a database, and the LOGIN.SQL
got errors, which screwed up any other commands or scripts I tried to
run. I stopped running the LOGIN.SQL script and the /nolog works fine
now.
Thanks for everyone's comments.
Regards,
Ian Parkin
: I used to do this on VMS, but under UNIX it doesn't look like SQL*Plus
: supports the /nolog parameter. Anyone else seen this?
Isn't the /nolog option specific to VMS rather than SQL*Plus ?
IAP
Ms. D.H. Harvey
Ian Parkin (tw...@roxy.sfo.com) wrote:
: : I used to do this on VMS, but under UNIX it doesn't look like SQL*Plus
: : supports the /nolog parameter. Anyone else seen this?
: Isn't the /nolog option specific to VMS rather than SQL*Plus ?
: IAP
Don't think so. We have no problem using /nolog on our Sequent running
DYNIX/ptx.
Helen
FREDFUSS
An earlier response to this thread talked about a 'hide' program from
Oracle, the author was wy...@juno.com. I contacted my dba, who in turn
called OTS. They sent a c program with instructions. The dba compiled
and linked the program to imp, exp, and sqlplus commands. It effectively
removes the password from peering eyes who are using ps -ef to display
active processes.