Hide a user password

Many times when running jobs through cron (on Unix boxes) it is required that you hide the password of the Oracle user from showing up when the ps command is run at the operating system level. There are various methods to do this, but the foolproof method is to use the init.ora parameter (os_authent_prefix) and identify users externally.

In the init.ora file set the os_authent_prefix to any string (for example, OPS$). Now the V$parameter output for this parameter should show up as: 

NAME                 TYPE     VALUE
-----------------    -------  ---------
os_authent_prefix    string   ops$
Now whenever you create a user just use "create user ops$<username> identified externally". For example, let's say the user is DBGUY: 
create user ops$DBGUY identified externally;
This will allow you to: 
$ id       
uid=12997(DBGUY) gid=1(other)

$ sqlplus /
SQL*Plus: Release 8.1.5.0.0 - Production on Mon Jun 17 09:28:46 2000
(c) Copyright 1999 Oracle Corporation.  All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production
With the Partitioning and Java options
PL/SQL Release 8.1.5.0.0 - Production

ops$dbguy@8i> show user
USER is "OPS$DBGUY"
ops$dbguy@8i>

Reader Feedback

Geoff H. writes: The author may like to point out the use of the SUDO command to prevent user passwords being seen in ps -ef. You can control what a user account on Unix can do. See below. sudo

    Requires Free Membership to View

    Login

allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file (the group vector is also initialized when the target user is not root). By default, sudo requires that users authenticate themselves with a password (NOTE: by default this is the user's password, not the root password). Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers). sudo determines who is an authorized user by consulting the file /etc/sudoers. By giving sudo the -v flag a user can update the time stamp without running a command. The password prompt itself will also time out if the user's password is not entered within 5 minutes (unless overridden via sudoers). A useful link for information is http://www.courtesan.com/sudo/. I hope this is useful.

For More Information

  • What do you think about this tip? E-mail the editor at tdichiara@techtarget.com with your feedback.
  • The Best Oracle Web Links: tips, tutorials, scripts, and more.
  • Have an Oracle tip to offer your fellow DBAs and developers? The best tips submitted will receive a cool prize--submit your tip today!
  • Ask your technical Oracle questions--or help out your peers by answering them--in our live discussion forums.
  • Check out our Ask the Experts feature: Our SQL, database design, Oracle, SQL Server, DB2, metadata, and data warehousing gurus are waiting to answer your toughest questions.

This was first published in June 2002

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top