Home » Infrastructure » Unix » Input for password in the UNIX Shell script (merged)
Input for password in the UNIX Shell script (merged) [message #419021] Wed, 19 August 2009 10:57 Go to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Hello Senior Members,

I am a new entrant to this forum. I thank you all in advance for sharing your expertise.

We can write a unix shell script wherein we can invoke SQL*Plus and even we can perform a query. Further to this, I have a question. It's as follows :

Scenario : The users doesn't have access to SQLPLUS or any tools, i.e., they cannot get in to SQL Prompt. We have to enforce password change policy. As per that the user has to change the password after 90 days.

My Question : Is there any way we can write a UNIX script to change the "password" without allowing the user to get into SQL> Prompt.

sqlplus scott/tiger <<EOF
password ---> Here it will ask for the input, which we should be able to give.
EOF

I really appreciate if any one of our exports can help me with this.

Regards
Input for password in the UNIX Shell script [message #419028 is a reply to message #419021] Wed, 19 August 2009 11:12 Go to previous messageGo to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Hello Senior Members,

I am a new entrant to this forum. I thank you all in advance for sharing your expertise.

We can write a unix shell script wherein we can invoke SQL*Plus and even we can perform a query. Further to this, I have a question. It's as follows :

Scenario : The users doesn't have access to SQLPLUS or any tools, i.e., they cannot get in to SQL Prompt. We have to enforce password change policy. As per that the user has to change the password after 90 days.

My Question : Is there any way we can write a UNIX script to change the "password" without allowing the user to get into SQL> Prompt.

sqlplus scott/tiger <<EOF
password ---> Here it will ask for the input, which we should be able to give.
EOF

I really appreciate if any one of our exports can help me with this.

Regards
Re: Input for password in the UNIX Shell script [message #419040 is a reply to message #419028] Wed, 19 August 2009 11:28 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10613
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
>>without allowing the user to get into SQL> Prompt.
What is it you are trying to achieve with this restriction?
the "password" is an sql * plus command.



To implement your approach,
First you must have OS (unix) accounts for all users to call this script.
Or
share one account among all.

You can create a simple web interface that will authenticate to the database using DBA account and issue the sql. Something like.
SQL> alter user ... identified  by newpassword;
Re: password script in UNIX.. [message #419043 is a reply to message #419021] Wed, 19 August 2009 11:33 Go to previous messageGo to next message
Michel Cadot
Messages: 57612
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
If the password is not expired (or in grace period) you can't forbid someone to get the SQL*Plus prompt.

Regards
Michel
Re: password script in UNIX.. [message #419044 is a reply to message #419021] Wed, 19 August 2009 11:34 Go to previous messageGo to next message
Michel Cadot
Messages: 57612
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Do not hijack other's topic abive all when you create another topic with the same question.

Regards
Michel
Re: password script in UNIX.. [message #419053 is a reply to message #419044] Wed, 19 August 2009 12:34 Go to previous messageGo to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Dear Michael,

My intentions are very clear and I didn't hijack the topic. I wanted to make it clear to you, if you are mistaken.

First I posted on the one you said a topic which was existing (you referred to it as hijack). Later, I saw the threads, it was in 2005 or so. Since I am new to this forum, I thought it is old or somebody would look into this or not, lots of questions arised in my mind and more over, for my specific question, I couldn't find an answer.

So, I decided to post it as a new topic. Hope you got it!!!

Thanks
Re: Input for password in the UNIX Shell script [message #419054 is a reply to message #419040] Wed, 19 August 2009 12:43 Go to previous messageGo to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Thanks for your answer Mahesh. You have asked "What you are going achieve from this?". You just think that you are a user (Non-DBA). The company restricts you from getting into SQL Prompt, for company's policy reasons and security. When you login, you will be connected straight into the application. After 90 days your password expires, you will not be able to login into your application unless you change your password during that gracetime period. It's your password which you have to change. The DBA can do it for you but in general circumstances earlier, the DBA assigns a password and asks you to change it your own password. But in the scenario explained, you don't have that option.

If you are in a situation which I have explained above, how do you tackle and overcome this.

I appreciate your expertise on this and hope I have conveyed the things right. Thanks for asking that question.

Regards
Re: Input for password in the UNIX Shell script [message #419056 is a reply to message #419054] Wed, 19 August 2009 12:52 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10613
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
Same response again.
Instead of creating a unix login (which will grant sql*plus access to users),
I would create a simple webpage that will authenticate as dba to database, get the inputs from webpage (username, old password , new password ) from the user and change it.

Re: Input for password in the UNIX Shell script [message #419057 is a reply to message #419054] Wed, 19 August 2009 12:57 Go to previous messageGo to next message
Michel Cadot
Messages: 57612
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
company restricts you from getting into SQL Prompt,

Have a look at
SQL*PlusĀ® User's Guide and Reference
Chapter 9 SQL*Plus Security

Quote:
After 90 days your password expires, you will not be able to login into your application unless you change your password during that gracetime period.

This is NOT how Oracle works, so you have to set no grace period in Oracle profile.

Quote:
It's your password which you have to change.

Set a way in your application.

Regards
Michel
Re: Input for password in the UNIX Shell script [message #419068 is a reply to message #419057] Wed, 19 August 2009 14:03 Go to previous messageGo to next message
andrew again
Messages: 2574
Registered: March 2000
Senior Member
What's to stop the user just downloading an Oracle client, Toad or whetever to connect to the database?

I agree with Mahesh that a self-service web page is a good solution to change a passwd.

Similar web utils I have created do:
1) Authenticate the user against LDAP or simple unix rlogin test from within your back-end script.
2) connect to Oracle as privileged account and change the user's passwd.

You can do the same from a Unix script by:
1) restrict access to the Oracle client (else user can run sqlplus).
2) create a script owned by DBA but executable by others via sudo (to make it run as DBA) (check with your Unix admin for this).
3) do a "who am i" in the script to detect the user's login.
4) prompt for the new passwd and change it for the user in #3

You can also try chmod u+s on the script as an alternative to sudo. It may nor work for scripts on your particular OS.


http://www.softpanorama.org/Access_control/sudo.shtml
Re: Input for password in the UNIX Shell script [message #419078 is a reply to message #419068] Wed, 19 August 2009 15:07 Go to previous messageGo to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Thanks, it's very informative.
Re: Input for password in the UNIX Shell script [message #419079 is a reply to message #419056] Wed, 19 August 2009 15:09 Go to previous messageGo to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Thanks.
Re: Input for password in the UNIX Shell script [message #419082 is a reply to message #419068] Wed, 19 August 2009 15:37 Go to previous messageGo to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Hi Andrew,

In fact, I followed the same pattern which you have mentioned in your answer. I tried that by hard-coding it to see whether it works or not? It worked fine.

Since I am not that good shell scripting, I am unable write a code as mentioned in your reply "prompt for the new passwd and change it for the user in #3". Can you please guide me with that piece of code as to how to invoke this?

I really appreciate and thanks in advance.

Regards
Re: Input for password in the UNIX Shell script [message #419089 is a reply to message #419082] Wed, 19 August 2009 16:26 Go to previous messageGo to next message
andrew again
Messages: 2574
Registered: March 2000
Senior Member
-- tested on HP-UX. Should be similar on most Unix
# also try "whoami" it may work better for you.
who am i | read usr junk

   while (true)
   do
      echo "Change Oracle password for \"$usr\" ? (y/n)"
      read ans
      case $ans in
      Y*|y*)   break;;
      N*|n*)   exit 0;;
      esac
   done

#read passwd twice and if same value entered
# then reset...

## you need to prompt for PASS etc here...

# check passwd for unwanted characters etc...
# untested

## escape the $...
BADCHAR=`echo $PASS | egrep '=|\$|&|%|#|@| |_' | wc -l`
if [ $BADCHAR -gt 0 ]; then
  echo "ERROR. Invalid characters found in password(@,_,space etc)"
  exit 1
fi

# check passwd length too...
## X=my_passwd
## LEN=`echo $X | wc -c` 
## if [ $LEN -lt 6 ]; then
##   echo "ERROR. Password too short.. 



sqlplus ... <<EOF
-- reset passwd for $usr
EOF
RV=$?

# test RV to see of 0 (success) or not...

[Updated on: Mon, 24 August 2009 11:18]

Report message to a moderator

Re: Input for password in the UNIX Shell script [message #419102 is a reply to message #419089] Wed, 19 August 2009 17:57 Go to previous messageGo to next message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Hi Andrew

Thank you very much and I appreciate for your help. I tried but, when I give the ans 'y' it branches out to "ERROR invalid....". I have Redhat Linux on my machine, may be it's not supporting. If possible and get a chance you can answer, I don't want to bother you much. Thanks.

Regards
Re: Input for password in the UNIX Shell script [message #419105 is a reply to message #419102] Wed, 19 August 2009 18:14 Go to previous messageGo to next message
andrew again
Messages: 2574
Registered: March 2000
Senior Member
I'm unsure - it may be related to your shell. The syntax should work for KSH and probably SH. See this for shell differences.

http://ut3.org/~kerolasa/differences.html

do a "set -x" towards the top of your script to get debug info.

Force the script to use your shell of choice on the first line (example):
#!/bin/ksh


Remember - my code sample isn't fully working code - it doesn't even prompt for passwd - you need to add all that stuff... I'm just trying to show some helpful snippets about prompting for input, validating the response etc...

[Updated on: Wed, 19 August 2009 18:17]

Report message to a moderator

Re: Input for password in the UNIX Shell script [message #419110 is a reply to message #419105] Wed, 19 August 2009 19:34 Go to previous message
ksdba
Messages: 10
Registered: August 2009
Location: NJ
Junior Member
Sure, I will, thanks for all your help

Regards
Previous Topic: TNS:listener does not currently know of service requested in connect
Next Topic: export successfull status
Goto Forum:
  


Current Time: Sat Apr 19 20:11:42 CDT 2014

Total time taken to generate the page: 0.12836 seconds