Re: How to move UNIX password into Oracle password

From: Paul Beardsell <paul_at_hoxton.demon.co.uk>
Date: Mon, 12 Jul 1993 02:43:13 +0000
Message-ID: <742444993snz_at_hoxton.demon.co.uk>

In article <1993Jul10.150027.18381_at_exlog.com> lparsons_at_exlog.com writes:

>In article <sjsC9wqpC.5tF_at_netcom.com> sjs_at_netcom.com (Stephen Schow) writes:
>>
>>Anyone know how I can systematiclly move the OS (UNIX) user passwords into
>>the corresponding OPS$ Oracle accounts password def. I want the two to
>>be the same and periodically running some program which kept them in sync
>>would be VERY good.

WHY DO YOU NEED THEM TO BE THE SAME? If you know the Unix password for the user then to logon to the database do something like the following:

su <unix_user_id> -c 'sqlplus /'
Unix will then prompt for the Unix password. Because you have set up an OPS$ Oracle account you will NOT be prompted for the Oracle password and, hey-presto, there you are at the SQL> prompt. The whole IDEA of OPS$ accounts is that by using them you are trusting the O/S implicitly with your security.

>First you dont need passwords on ops$accounts.

Oh yes you do if you want your database to be secure! You just don't need to know the Oracle password if you are logged in as the O/S user for whom the OPS$ account has been set up.

>In fact i use the password field as a cheap comment field by using:
>grant connect to ops$accounts identified by values 'FOO USER';

Don't do that: It allows any user who knows your scheme to masquerade as any Oracle OPS$ user. Better to set a password (I just randomly beat my fingers on the keyboard to generate one) and then FORGET it. You will never need it again.

>But that didn't really answer your question.
>
>given that:
>1) both the unix/oracle password are encrypted via one way functions

Hence there is no value to your 'cheap comment' as no-one will ever see it. Not even you.

>2) they are not the same function.
>
>I dont see any way of doing this with out forceing the user to change
>both when she changes one.
>
>The most practical way of doing this would be take a hacked version
>of passwd that does a pro*c call to change the oracle password
>when the unix password is changed.

I'm sure this is just over-engineering a way out of a non-problem.

>There are about a million problem with this idea that would have
>to be worked out. but the bottom line is that once the two passwords
>are out of sync you can't sync them up w/o changing them both.
>
>You could do something silly like keep the unix pwd online and run a
>program the do the update in oracle later. While the code would be much
>easyier I think we can all agree that this would be a "BAD" thing.

I agree. Silly and bad.

>--
>Regards,
>
>Lee E. Parsons Baker-Huges Inteq, Inc
>Oracle Database Administrator lparsons_at_exlog.com

-- 

Paul Beardsell                          21 Finn House, Bevenden St, HOXTON,
~~~~~~~~~~~~~~                          Hackney, London, N1-6BN, UK.
paul_at_hoxton.demon.co.uk
pbeardsell_at_cix.compulink.co.uk          (+44 or 0)71 608-2391

Received on Mon Jul 12 1993 - 04:43:13 CEST

This message: [ Message body ]
Next message: Gary Assa: "Re: Error when using export"
Previous message: champs_at_cnb07v.hhcs.gov.au: "Re: Updating with indexes"
In reply to: Lee Parsons: "Re: How to move UNIX password into Oracle password"
In reply to Lee Parsons: "Re: How to move UNIX password into Oracle password"
Next in thread: Stephen Schow: "Re: How to move UNIX password into Oracle password"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message