Coskan’s Approach to Oracle

April 23, 2007

Act as if, temporarily in Oracle

Filed under: Security — coskan @ 10:37 am

While discovering the internets new trend StumbleUpon after reading Eddie Awads last entry I found a nice site Red Database Security about Oracle Security. The whitepaper about passwords has useful paragraphs for Oracle DBAs.

Here is a sample paragraph about changing a users password temporarily without knowing the original passwords by using the undocumented feature called “by values” of alter user command. Suppose you want to login as user HR but you don’t know its password and you can’t change it all you have to do is backing up the hash key of password from dba_users table. Lets look how ;

From session 1; –backup the hash key and change the password

idle> connect / as sysdbaConnected.sys@XE> select username,password from dba_users where username=’HR’;
USERNAME PASSWORD

————- ——————————

HR 4C6D73C3E8B0F0DA

sys@XE> alter user hr identified by passwd;

User altered.

From Session 2; try to logon with old password

idle> connect hr/hr
ERROR:ORA-01017: invalid username/password;logon denied

Warning: You are no longer connected to ORACLE.

From session 1; –login with temporary passsword do your job and change back it

idle> connect hr/passwd;Connected.hr@XE>…..
–do you job
hr@XE>connect / as sysdba

connected
sys@XE> alter user hr identified by values ’4C6D73C3E8B0F0DA’;

User altered.

From Session 2; –vadaaaaaaa old password is still working

idle> connect hr/hr;

Connected.

Because it is undocumented try this carefully !!!

About these ads

4 Comments »

  1. It’s a known feature since at least v5 of Oracle. The only thing that I would caution is if you are attempting to lock up the SYS and SYSTEM accounts so that no one can get in w/o having to set a new password.

    For example, alter user SYSTEM identified by values ‘Totally Secured’ will prevent anyone from hacking SYSTEM by any password guessing methods since the hashed value will never equal to ‘Totally Secured’. The only way then, is to reset the password if you need to use the SYSTEM account.

    The caution is obviously to ensure that you do have another account that is given privilege to reset other users’ passwords otherwise if you set SYS and SYSTEM as above and you don’t have another account with privilege to reset the password, you are locked out of your db although you still can get in via the OS level with “connect / as sysdba” which is deprecated in 10g.

    Comment by Peter K — April 23, 2007 @ 8:10 pm

  2. Thanks a lot for you comment Peter. I think the entry is really complete now

    Comment by coskan — April 23, 2007 @ 9:26 pm

  3. [...] table, so to change the password temporarily, it is not possible to use the way I explained here [...]

    Pingback by Alter user identified by values on 11G without using SYS.USER$ « Coskan’s Approach to Oracle — March 11, 2009 @ 11:14 am

  4. stroyka-eko.ru – eko (экологическое), строительство
    дома и ремонт.
    Эффективные экологические решения возведения

    Прогрессивное застраивание, предполагает снижение
    энергозатрат
    возведение домов с применением ЭКО чистейшых материалов.
    Ремонтно-строительных материалов, относительно неопасных для людей и природы, рожденных
    по новационным производственным спецтехнологиям.

    Недорогая стоимость для любого потребителя и многочисленное изготовление экологически безупречных материалов, придает вероятность создать новый эффективный энергосберегающий
    домик или реконструировать устаревшый.
    Механизмы энергосбережения настолько просты, что их может воплотить каждый
    желающий хозяин, а вместе
    с тем в будущем с экономить финансовые средства при отоплении в
    отопительный сезон. Экологические решения строительства – это дорога в новую эпоху.

    Comment by строительство — January 30, 2014 @ 8:33 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 193 other followers

%d bloggers like this: