Skip to Content

Enhancing the authentication mechanism in MaxDB

MaxDB SQLCLI is a tool used for performing functions like data manipulation, data definition etc. Like any other client, to get connected to the database using SQLCLI, user name and password is a must. The main problem with the SQLCLI is the lack of security in the console. When connecting to the database the given password is never masked in SQLCLI. Hence this needs to be modified so as to keep the password concealed. This weblog explains the way to overcome the same.

MySQL Console

Let us see a simple example of a better authentication process in existing MySQL console,

image

In the above screen shot, it is pretty clear that the MySQL console completely hides the entered password. Thus the confidentiality is ensured at all points.

MaxDB SQLCLI Console

But when considering the MaxDB SQLCLI the authentication is much different. The entered password is revealed as such and hence there is security for the same.

image

the user name dba and the password maxdb are open and hence the users are always at risk.

Enhancing the authentication mechanism

Here is an alternate way to login into the MaxDB without revealing the password. This is a simple program in java that uses a thread to hide the entered password with the special characters. Further, the program also explains how to run SQL query in MaxDB using java. The program is developed from the password masking concepts discussed at http://java.sun.com/developer/technicalArticles/Security/pwordmask/. The program that makes this possible is given below,

The above program when executed provides the below given result.

image

A small cross check with the Websql Studio, for the executed query.

image

Hope the above program is much useful to enhance the authentication mechanism in MaxDB.

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Marco Paskamp

    Hi Kathirvel Balakrishnan,<br/>thank you very much for your advise to hide the password when it is given on comand line. I will add this feature to a future version of sqlcli. Currently you can already type in the password after starting sqlcli, but it is not mask with ‘‘:<br/><br/>c:\>sqlcli  -d v73 -u dba<br/><br/>Welcome to the MaxDB interactive terminal.<br/><br/>Type:  \h for help with commands<br/>       \q to quit<br/><br/>password:<br/>Connected to v73<br/>sqlcli v73=><br/><br/>BTW., the java example that you have add to your article doesn’t use sqlcli in any way. So, where is the enhancement? Also the print out of “\b” is unsecure, because if you pipe the output to a file you will find the password  within the sequence m\by\bp\ba\bs\bs\b.<br/><br/>Again, thank you for your advise and best regards.<br/><br/>Marco Paskamp<br/>SAP Labs, Berlin

    (0) 
    1. Kathirvel Balakrishnan Post author
      Hi Marco,

      Thanks for the comments and really nice then i set the things right there. Then regarding “pipe the output to a file” – i didn’t get how you can do that when a complied java executable is used for this purpose. Still i think it will better than working with a console that displays the password. But as far as i have known MaxDB is better why not the best tool in the market. Hope you agree with this.
      Thanks and Regards
      Kathir~

      (0) 
  2. Kathirvel Balakrishnan Post author
    Hi Marco,

    I really thank you for getting back, and giving me a solution. Hope this will make MaxDB much more secured. I planning to work on it after some time.

    Thanks & Regards,
    Kathir~

    (0) 

Leave a Reply