SSH Without A Password

Zach has posted a good quick reference for setting up SSH to use a shared key for authentication instead of a password on a UNIX system. It’s important to keep your keys secure, but this can allow you to set up scripts to execute commands or move files between multiple hosts without prompting for passwords.

If memory serves this type of authentication is enabled by default on most ssh servers, but if it doesn’t work talk to your sys-admin to see if it is disabled.

unix, linux, solaris, mac osx, osx, ssh, security

Biometrics

FingerprintDon Burleson over at Burleson Consulting has written an interesting survey of Oracle biometrics applications.

With the inherent problems associated with passwords Oracle security administrators are finding that Oracle biometrics is a more secure and cost-effective solution. Oracle biometrics system offer more secure environments and also remove the need to dedicate a help-desk person to manage changing passwords for hundreds of end-users.

It’s interesting to see what’s out there, but as Zach will always remind us, biometrics will not hold up in the long run. As biometrics become commonplace they will be hacked. What will you do when someone steals your fingerprints (or the digital representation of them.) You can’t change them. Hell, you can’t even keep from leaving them behind just about everywhere you go.

If a lock can be opened, it can be picked; and if your password can be used, it can be forged. The more common biometrics become (Don mentions in his article that fingerprint readers are now less than $31) the more folks will set their sights on hacking them. These devices work on common interfaces and pass their information over networks potentially exposing your personal password to unknown parties.

If biometrics catch on you could be required to provide fingerprint identification to use your credit card at your local convenience store. Do you really trust them, or worse yet, the government (who can’t even keep your SSN secure) with your password to your bank account, business account, desktop computer and medical history?

So if biometrics isn’t the holy grail of electronic security what is?

I don’t know what the future of password management is. The most holistic solution I’ve seen yet is the one that Zach and I proposed last year where users are provided with a “password change authorization code” which they are encouraged to keep with their birth certificate (or in another safe place) which allows them to change their password through a self-service page in the case of password loss.

biometrics, fingerprint, security, hacking, hacks, oracle

Useful Oracle Security Views

One of the cool things about oracle is that if you have the right privileges you can learn all it’s secrets from the so-called “data dictionary.”

If you’re interested in this then you probably already know what that’s about, so here are what I consider the important data dictionary views for Oracle security:

DBA_SYS_PRIVS – Probably most important, this show system privileges granted to users and roles

DBA_TAB_PRIVS – While the name implies table privileges this actually incorporates view privileges, procedures, packages and functions

DBA_COL_PRIVS – Not always used, but this view tracks grants on columns

DBA_ROLE_PRIVS – This shows who (or what roles) a role has been granted to

These views don’t seem to have changed much from 9i to 10g (or in 8i at that matter) but it is always best to check documentation for your version of Oracle.

Stay tuned for some handy queries to run on these to get quick reports on who can see what.

Technorati tags: , , , , , ,

Oracle CONNECT and RESOURCE Roles

So what exactly is in those CONNECT and RESOURCE Oracle roles? The ship with every Oracle database and many apps require they be granted. I did a little digging and found the following:

In Oracle 10gR2 things are fairly sane:
CONNECT role has only CREATE SESSION
RESOURCE has CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER and CREATE TYPE

In Oracle 9iR2 things get a little scary:
CONNECT has ALTER SESSION, CREATE CLUSTER, CREATE DATABASE LINK, CREATE SEQUENCE, CREATE SESSION, CREATE SYNONYM, CREATE TABLE and CREATE VIEW. Rather a scary lot for a role called ‘connect’
RESOURCE has CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER and CREATE TYPE

The admin option would allow the users to grant the privlelge to another user. Thankfully neither of these roles have the admin option in the versions of Oracle I checked.

To find these privileges you can query the DBA_SYS_PRIVS table with a query like this:

select grantee, privilege, admin_option from dba_sys_privs where grantee='CONNECT';

Of course an oracle role could also have table or column privileges granted to it, so to be thorough you should also check for entries in DBA_TAB_PRIVS and DBA_COL_PRIVS.

NOTE: You should always check these privileges in your database before granting roles as a script, application or previous DBA may have granted or revoked additional roles.

Technorati tags: , , , , , ,