Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

How is the DBA password shown in 9.02?

2 posts in General Discussion Last posting was on 2009-03-27 14:03:13.0Z
Robert Paresi Posted on 2009-03-27 13:42:15.0Z
Reply-To: "Robert Paresi" <FirstInitialLastName@innquest.com>
From: "Robert Paresi" <FirstInitialLastName@innquest.com>
Newsgroups: ianywhere.public.general
Subject: How is the DBA password shown in 9.02?
Lines: 15
Organization: InnQuest Software
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <49ccd7b7$1@forums-1-dub>
Date: 27 Mar 2009 05:42:15 -0800
X-Trace: forums-1-dub 1238161335 10.22.241.152 (27 Mar 2009 05:42:15 -0800)
X-Original-Trace: 27 Mar 2009 05:42:15 -0800, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.general:7438
Article PK: 5851

Hello,

When the workstation connects to the server using ODBC (or in my case, the
Sybase SQL Anywhere driver in Clarion) ... does the password on the
connection string go from the workstation to the server in readable text?
Meaning, what stops someone from scraping the password on the network when
people connect to the database.

This is when the database is in regular form (not AES).

Is there switches I should be using and if so, what stops someone from just
changing the switches.

-Robert


Jeff Albion [Sybase iAnywhere] Posted on 2009-03-27 14:03:13.0Z
From: "Jeff Albion [Sybase iAnywhere]" <firstname.lastname@ianywhere.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
Newsgroups: ianywhere.public.general
Subject: Re: How is the DBA password shown in 9.02?
References: <49ccd7b7$1@forums-1-dub>
In-Reply-To: <49ccd7b7$1@forums-1-dub>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <49ccdca1$1@forums-1-dub>
Date: 27 Mar 2009 06:03:13 -0800
X-Trace: forums-1-dub 1238162593 10.22.241.152 (27 Mar 2009 06:03:13 -0800)
X-Original-Trace: 27 Mar 2009 06:03:13 -0800, vip152.sybase.com
Lines: 48
X-Authenticated-User: techsupp
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub ianywhere.public.general:7439
Article PK: 5852

Robert,

The initial "login" packet is always obfuscated in a normal login
session. (So nobody can "casually scrape" the password out with a tool
such as Wireshark). That said, anyone who is determined/knowledgeable
enough to figure out the algorithm and key that was used to obfuscate
the packet can potentially get the password out.

---

Going to transport layer security (TLS) is the only way to guarantee a
"secure" login session. (This is true for any technology though and is
certainly not unique to SQL Anywhere). On versions 10 and up, RSA TLS
encryption is included with the base package. (See: "createcert" in the
documentation).

There's also a number of whitepapers on this topic on our website:
http://www.sybase.com/detail?id=1035475

---

To clarify, TLS uses RSA or ECC, which encrypts the communication stream
across the network. AES is used for block-cipher encrypting the database
when it's stored on-disk (which doesn't affect this mechanism at all).

Regards,

Robert Paresi wrote:
> When the workstation connects to the server using ODBC (or in my case,
> the Sybase SQL Anywhere driver in Clarion) ... does the password on the
> connection string go from the workstation to the server in readable
> text? Meaning, what stops someone from scraping the password on the
> network when people connect to the database.
>
> This is when the database is in regular form (not AES).
>
> Is there switches I should be using and if so, what stops someone from
> just changing the switches.

--
Jeff Albion, Sybase iAnywhere

iAnywhere Developer Community :
http://www.sybase.com/developer/library/sql-anywhere-techcorner
iAnywhere Documentation : http://www.ianywhere.com/developer/product_manuals
SQL Anywhere Patches and EBFs :
http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
Report a Bug/Open a Case : http://case-express.sybase.com/cx/