Re: How to move UNIX password into Oracle password

From: Lee Parsons <lparsons_at_exlog.com>
Date: Mon, 12 Jul 93 16:37:49 GMT
Message-ID: <1993Jul12.163749.9692_at_exlog.com>

In article <742444993snz_at_hoxton.demon.co.uk> paul_at_hoxton.demo.co.uk writes:
>In article <1993Jul10.150027.18381_at_exlog.com> lparsons_at_exlog.com writes:
>>In article <sjsC9wqpC.5tF_at_netcom.com> sjs_at_netcom.com (Stephen Schow) writes:
>>>
>>>Anyone know how I can systematiclly move the OS (UNIX) user passwords into
>>>the corresponding OPS$ Oracle accounts password def. I want the two to
>>>be the same and periodically running some program which kept them in sync
>>>would be VERY good.
>
[ ... ]
>
>>In fact i use the password field as a cheap comment field by using:
>>grant connect to ops$accounts identified by values 'FOO USER';
>
>Don't do that: It allows any user who knows your scheme to masquerade as
>any Oracle OPS$ user. Better to set a password (I just randomly beat my
>fingers on the keyboard to generate one) and then FORGET it. You will never
>need it again.
>

How can a ENCRYPTED value of "FOO USER" represent a valid password?

"FOO USER" is the value AFTER the encryption process has been run not the password itself. Since it is several characters short of the required encryption lenght, NO password will ever encrypt to "FOO USER" and it is MORE secure than putting in a valid password.

>>But that didn't really answer your question.
>>
>>given that:
>>1) both the unix/oracle password are encrypted via one way functions
>
>Hence there is no value to your 'cheap comment' as no-one will ever see it.
>Not even you.

Once again the command was:

   grant connect to ops$account identified by values 'FOO USER';
                                              ^^^^^^

NOT grant connect to ops$account identified by 'FOO USER';

FOO USER is not the password it is the encryption string.

You can get the 'comment' by: select username, password from dba_users;

>
>>2) they are not the same function.
>>
>>I dont see any way of doing this with out forceing the user to change
>>both when she changes one.
>>
>>The most practical way of doing this would be take a hacked version
>>of passwd that does a pro*c call to change the oracle password
>>when the unix password is changed.
>
>I'm sure this is just over-engineering a way out of a non-problem.
>

Agree. But of course Stephen asked for a specific answer. Who am I to sit 1000 miles away and tell him it's not really a problem.

-- 
Regards, 

Lee E. Parsons                  		Baker-Huges Inteq, Inc
Oracle Database Administrator 			lparsons_at_exlog.com

Received on Mon Jul 12 1993 - 18:37:49 CEST

This message: [ Message body ]
Next message: Paul Beardsell: "Re: How to move UNIX password into Oracle password"
Previous message: Stephen Schow: "Re: How to move UNIX password into Oracle password"
Maybe in reply to: Stephen Schow: "How to move UNIX password into Oracle password"
In reply to Lee Parsons: "Re: How to move UNIX password into Oracle password"
Next in thread: Paul Beardsell: "Re: How to move UNIX password into Oracle password"
Reply: Paul Beardsell: "Re: How to move UNIX password into Oracle password"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message