Oracle Passwords...

[THoey]

I posted this in the Oracle 5,6,7 thread, but thought I would post it here just in case some of you used to work with it.

*********************************************************

I am pretty sure I already know the answer to this question, but I don't like it.

About a year ago, I got assigned a Unix server with an Oracle 7.3.4 database running on it. We had a Unix System Administrator officially assigned to it and a Oracle DBA that, although not officially assigned, would perform duties on it as needed.

Since then, that Oracle DBA left the company. His replacement for all of the projects that he was officially assigned to, came on board, but pretty much refused to work on that server, since he wasn't officially assigned to it. I asked the Unix Administrator who would be the "DBA" for it and she said that her and I would do what we could and we could get help if we really needed it. With my Oracle experience, I was fine with that.

Well, since then, the Unix Admin has also left. She handed off all of her responsibilities to a developer that I work with, who has done a fine job. Until... I found out that I know more passwords to the Oracle than he does.

We have an OS authenticated account that has DBA privileges, but that is the best we have. And even it doesn't have Admin privileges (able to grant DBA privileges). No passwords for the SYS or SYSTEM level accounts.

I know this is a scary question, but is there any way to change the SYS or SYSTEM passwords so that we have them or a backdoor into the database? Maybe even a decryption script that will give us the current passwords. I gather not, since all security would be out the door, but I figured it was worth a try...

Thanks for any help...
[sig]<p>Terry M. Hoey<br><a href=mailto:th3856@txmail.sbc.com>th3856@txmail.sbc.com</a><br><a href= > </a><br>Ever notice that by the time that you realize that you ran a truncate script on the wrong instance, it is too late to stop it?[/sig]

 

[THoey]

Nevermind... As I was wandering through Oracle's Tech site yesterday, I saw that and was going to try it. But then I saw something else. The DEFAULT password that is created when Oracle is installed. Nah, they had to have changed it. These people are too anal to leave a default password. Doh!!!

I'm in and have changed all the passwords. I also created a list of these new passwords and distributed them as necessary like what should have been done in the first place. [sig]<p>Terry M. Hoey<br><a href=mailto:th3856@txmail.sbc.com>th3856@txmail.sbc.com</a><br><a href= > </a><br>Ever notice that by the time that you realize that you ran a truncate script on the wrong instance, it is too late to stop it?[/sig]

 

[dbachpb]

You may also find that most DBA do not use a password file for the user INTERNAL. This user is equivalent to SYS.
What you do is connect with the user INTERNAL and then you can change any users passwd. [sig][/sig]

 

[budding]

Hi,
As a follow up of this answer from dbachpb, I would like to know who asssigns the INTERNAL user without any password(&quot;blank&quot; password) and where is it assigned?? If, for argument sake, I would like to change the password of the INTERNAL, how can I do that??

Also, I heard that in Oracle 8i, there is no concept of INTERNAL and only SYSTEM & SYS. Is it true???

Ta..

Kk

 

[dbachpb]

reply to BUDDY:
The user INTERNAL is created at installation of the rdbms.
You are right, Oracle does support INTERNAL with ORACLE 8.1.7 and above.
If you want to create a password for INTERNAL, you have to create a specific password file.
here is how :
To create a password file log in as the Oracle software owner and issue the command:
orapwd file=$ORACLE_HOME/dbs/orapw$ORACLE_SID password=mypasswd

using the required password. The file name is important and should be specified as above. You should create this file when the database is shut down.
To change a password:
- shut down the database,
- Rename the $ORACLE_HOME/dbs/orapw$ORACLE_SID file
- Issue a new orapwd command with a new password


You would be surprised to see how many companies do not have a password file for INTERNAL and have left default passwords for system and sys users. That must be why security is such a hot topic these days.

 

[MrBass]

How can you change the SYS account default password for SYSDBA and SYSOPER privileges? I've managed to change it for Normal privileges by using:
ALTER USER SYS IDENTIFIED BY new_pwd; I thought that would work for the three different levels but if I try to connect as SYSDBA the old password still works and the new one doesn't!

Can anyone help me out??

 

[karluk]

I think your sysdba logins are failing because they use the internal account, not sys. Try using dbachpb's suggestion to change the internal password using the &quot;orapwd&quot; command.

 

[MrBass]

Unfortunately I'm running Oracle on NT. Do you know the NT equivalent for dbachpb's method?

 

[karluk]

Orapwd is not platform specific. It should work on any O/S, including Windows NT.

 

[MrBass]

Many Thanks karluk - found where I was going wrong, I was searching for the ORAPWD file when I should have been looking for ORAPWD80 - you live and learn!