rlwrap Filter Configuration¶
Purpose: Guide to optional password filtering for rlwrap-enabled Oracle tool aliases in OraDBA.
Audience: Users concerned with command history security.
Prerequisites:
- rlwrap installed
- Perl with RlwrapFilter module
Introduction¶
OraDBA supports optional password filtering for rlwrap-enabled aliases. When enabled, passwords are hidden from command history files, improving security when using interactive Oracle tools.
This security feature works with all Oracle product types supported by the Plugin System.
What is rlwrap?¶
rlwrap (readline wrapper) provides command-line history and editing for programs that don't natively support it. OraDBA automatically uses rlwrap with SQL*Plus, RMAN, and other Oracle tools when available.
Benefits:
- Command history (up/down arrows)
- Tab completion with keywords
- Line editing (Emacs/vi modes)
- History search (Ctrl+R)
- Optional password filtering
Password Filtering¶
Password filtering removes sensitive information from command history, preventing:
- Plain-text passwords in
~/.sqlplus_history - Connection strings with passwords in
~/.rman_history - CREATE/ALTER USER statements with passwords
Example:
Requirements¶
1. Install rlwrap¶
RHEL/Oracle Linux/CentOS:
Ubuntu/Debian:
macOS:
2. Install Perl RlwrapFilter Module¶
The password filter requires the Perl RlwrapFilter module:
# Check if installed
perl -MRlwrapFilter -e 'print "OK\n"'
# Install using CPAN
sudo cpan RlwrapFilter
# Or on Debian/Ubuntu
sudo apt-get install libterm-readline-gnu-perl
Enable Password Filtering¶
Global Configuration¶
Enable for all databases in oradba_customer.conf:
Per-Database Configuration¶
Enable for specific database in sid.FREE.conf:
Apply Configuration¶
# Reload environment
source oraenv.sh FREE
# Test - check alias definition
type sqh
# Should show -z option with filter path
# rlwrap ... -z "/opt/oradba/etc/rlwrap_filter_oracle" sqlplus / as sysdba
What Gets Filtered¶
SQL*Plus Commands¶
-- CONNECT statements
CONNECT user/password@db → CONNECT user/@db
conn user/password → conn user/
-- CREATE/ALTER USER
CREATE USER scott IDENTIFIED BY tiger;
→ CREATE USER scott IDENTIFIED BY ***FILTERED***;
ALTER USER scott IDENTIFIED BY newpass;
→ ALTER USER scott IDENTIFIED BY ***FILTERED***;
RMAN Commands¶
-- CONNECT statements
CONNECT TARGET user/password@db → CONNECT TARGET user/@db
CONNECT CATALOG rman/password@cat → CONNECT CATALOG rman/@cat
Affected Aliases¶
When ORADBA_RLWRAP_FILTER=true, these aliases use password filtering:
SQL*Plus:
sqh- SQL*Plus as SYSDBA with rlwrapsqlplush- SQL*Plus /nolog with rlwrapsqoh- SQL*Plus as SYSOPER with rlwrap
RMAN:
rmanh- RMAN with rlwraprmanch- RMAN with catalog and rlwrap
ADRCI:
adrcih- ADRCI with rlwrap
Testing Password Filtering¶
Test Setup¶
# Enable filtering
export ORADBA_RLWRAP_FILTER="true"
source oraenv.sh FREE
# Connect using filtered alias
sqh
Test Scenarios¶
-- Test 1: CONNECT with password
SQL> CONNECT system/password@orcl
Connected.
-- Test 2: CREATE USER
SQL> CREATE USER testuser IDENTIFIED BY testpass;
User created.
-- Exit and check history
SQL> EXIT
# Check history file
$ tail ~/.sqlplus_history
# Should show filtered versions:
# CONNECT system/@orcl
# CREATE USER testuser IDENTIFIED BY ***FILTERED***;
Troubleshooting¶
Filter Not Working¶
Check if filter is enabled:
Check alias configuration:
Verify filter script exists:
Check Perl module:
rlwrap Not Found¶
# Check if rlwrap is installed
which rlwrap
# Install if missing
# RHEL/OL
sudo yum install rlwrap
# Ubuntu/Debian
sudo apt-get install rlwrap
# macOS
brew install rlwrap
Perl Module Missing¶
# Check for module
perl -MRlwrapFilter -e 'print "OK\n"'
# Install if missing
sudo cpan RlwrapFilter
# Or on Debian/Ubuntu
sudo apt-get install libterm-readline-gnu-perl libreadline-dev
History Still Shows Passwords¶
Possible causes:
- Filter not enabled - Check
ORADBA_RLWRAP_FILTER=true - Not using filtered alias - Use
sqhnotsq - Old history entries - Filter doesn't retroactively clean history
- Perl module not installed - Check RlwrapFilter module
Clean old history:
# Backup and clean SQL*Plus history
mv ~/.sqlplus_history ~/.sqlplus_history.bak
# Backup and clean RMAN history
mv ~/.rman_history ~/.rman_history.bak
Security Considerations¶
- Not Perfect - Filter catches common patterns but may miss some edge cases
- Old History - Doesn't clean existing history files
- Other Tools - Only works with rlwrap-enabled aliases
- Local Security - History files stored locally; secure your workstation
- Production - Consider using Oracle Wallet for production connections
- SSH Sessions - History files remain on remote server if using SSH
- Backup History - Consider deleting old history files before enabling filter
Best Practices¶
- Enable in development - Use for convenience and security in dev/test
- Use Wallet in production - Oracle Wallet for production connections
- Regularly clean history - Periodically remove old history files
- Test the filter - Verify filtering works after enabling
- Document usage - Note which environments use filtering
- Secure workstation - History files only as secure as your workstation
- Consider alternatives - OS authentication, Kerberos, Wallet for production
Alternative Security Methods¶
Instead of or in addition to password filtering:
Oracle Wallet¶
# Create wallet
mkstore -wrl /home/oracle/wallet -create
# Add credentials
mkstore -wrl /home/oracle/wallet -createCredential ORCL scott tiger
# Connect without password
sqlplus /@ORCL
OS Authentication¶
Kerberos Authentication¶
Configure Kerberos for enterprise authentication (no passwords needed).
Disable Password Filtering¶
To disable password filtering:
# In oradba_customer.conf or sid.*.conf
export ORADBA_RLWRAP_FILTER="false"
# Or unset the variable
unset ORADBA_RLWRAP_FILTER
# Reload environment
source oraenv.sh FREE
Aliases will continue to use rlwrap but without password filtering.
See Also¶
- Aliases - Complete alias reference with rlwrap
- Configuration - Setting ORADBA_RLWRAP_FILTER
- Troubleshooting - rlwrap issues
Navigation¶
Previous: Database Functions Library
Next: Troubleshooting Guide