Home » Other » Marketplace » McPwfile: check your Oracle password files (8iR1 to 12cR2)
McPwfile: check your Oracle password files [message #651191] Thu, 12 May 2016 09:12 Go to next message
Michel Cadot
Messages: 65201
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

I was asked to create something (write a script?) which will allow to detect modification in Oracle password files.

My first (obvious) idea was to create a new account in each database (to avoid using a current privileged one) with only 2 privileges: CREATE SESSION and SELECT on V$PWFILE_USERS, then create a shell script which will connect to each database with this account and query this later view spooling the result in a file and make a "diff" with the previous one.
Well, I did not like the idea to create an account who has the privilege to name all accounts with SYSDBA privilege or the like, just a new security hole for me. And the idea to have to connect to each database...

My second idea was to make a "binary diff" on all password files with the previous ones saved somewhere. I don't know if you have some day look at a "binary diff" report, hard to say it is easy to read.
In addition, due to the policy to change the passwords quite frequently, all files are highligthed at each check. Without mentioning that a SYSOPER account getting a SYSDBA privilege is a change in a single bit in the file.

So I had to find something else and so the program I present you here: McPwfile.
Its help is the following one:
C:\>.\McPwfile -h

McPwfile Utility by Michel Cadot: Version 2017.10.03 on 03-OCT.-2017 10:16:55

Copyright (c) Michel Cadot, 2016-2017. All rights reserved.

Usage: McPwfile.exe { -h | [-dir <directory>] [-psw] [-v] <pwfile> [...] }

with
  -dir <directory>  Gives the default directory if not given in file names;
                      default is current working directory.
  -psw              Displays the password hash values.
  -v                Verbose mode; displays informative messages, warnings,
                      and disabled entries; "-v" implies "-psw"
  <pwfile>          Gives an Oracle password file; wildcard characters are allowed.

The program is provided as it is without any guarantees or warranty. Although the
author has attempted to find and correct any bugs in this free program, the author
is not responsible for any damage or losses of any kind caused by the use or misuse
of the program. The author is under no obligation to provide support, service,
corrections, or upgrades to this program.

You can freely use, copy and distribute this program but you can't modify it without
the permission of the author you can contact on http://www.orafaq.com
You can post your comments, ask for improvements, report bugs... on the program at
http://www.orafaq.com/forum/t/200886/
You can give a list a password files, wildchar characters are allowed. You can give a specific directory for the files with no path or relative path using the "-dir" parameter.
Here's an example of the output:
C:\>.\McPwfile -dir C:\ PWDMIKB2.ora PWDtst1212c.ora

McPwfile Utility by Michel Cadot: Version 2016.05.12 on 12-MAI-2016 11:35:53

Copyright (c) Michel Cadot, 2016. All rights reserved.

Checking file C:\PWDMIKB2.ora
  Creation date..... 08-mai-2016 20:17:07
  Last modification. 27-déc.-2015 21:55:56
  Size.............. 1.5 KB
  Valid entries
    SYS
      privilege. SYSOPER SYSDBA
    MICHEL
      privilege. SYSDBA
    U
      privilege. SYSDBA
    SCOTT
      privilege. SYSDBA
    NTD
      privilege. SYSOPER SYSDBA SYSASM

Checking file C:\PWDtst1212c.ora
  Creation date..... 08-mai-2016 20:16:30
  Last modification. 08-mai-2016 20:16:30
  Size.............. 7.5 KB
  Valid entries
    SYS
      privilege. SYSOPER SYSDBA
    SYSDG
      privilege. SYSDG
    SYSBACKUP
      privilege. SYSBACKUP
    SYSKM
      privilege. SYSKM
You can ask for the password hash values using the "-psw" option.
The "verbose" option (-v) which implies "-psw" option, gives you some more information:
- less useful information about the file
- warning messages (some inconsistencies the program detects)
- disabled entries in the file
- starting with 12.1.0.2, SHA-2 verifier.
This may help you to explain some strange things you may encounter and warn you about Oracle bugs or hacked password files.

The program has been tested with Windows and Linux password files, for Oracle versions from 8iR3 (8.1.7) to 12cR2 (12.2.0.1). There may be some differences with other Unix flavors. If you have any problem don't hesitate to contact me and I'll fix the program.

Latest version: 2017.10.15, download in orapwd wiki page.
MD5:   be80a7c77447399d3665927309848a81
SHA-1: 21b89a9f7cd6326b52cc9ee430cab2d6c1432d51

[Updated on: Sun, 15 October 2017 04:16]

Report message to a moderator

Re: McPwfile: Check your Oracle password files [message #665931 is a reply to message #651191] Tue, 03 October 2017 04:19 Go to previous messageGo to next message
Michel Cadot
Messages: 65201
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

New features are:
  • Full support of 12cR1 release (previously 12.1.0.1 only)
  • Full support of 12cR2 release (12.2.0.1)
Reminder:
  • 11g introduces SHA-1 passwords and case sensitivity
  • 12.1.0.1 introduces long user names (127 bytes), and SYSBACKUP, SYSDG and SYSKM privileges
  • 12.1.0.2 introduces SHA-2 passwords
  • 12.2.0.1 introduces external names and removes <11g passwords (even with 12.1 format)

[Updated on: Sun, 15 October 2017 04:08]

Report message to a moderator

Re: McPwfile: Check your Oracle password files [message #666103 is a reply to message #665931] Sun, 15 October 2017 04:18 Go to previous message
Michel Cadot
Messages: 65201
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

A new version has been released with just display enhancements.

Previous Topic: PL/SQL Samples
Next Topic: McUnwrap: unwrap your PL/SQL code
Goto Forum:
  


Current Time: Tue Nov 21 08:05:56 CST 2017

Total time taken to generate the page: 0.01356 seconds