5 Replies Latest reply: Oct 31, 2012 4:33 PM by JustinCave RSS

    compare database password verification both  database and Linux

    592815
      Hi Friends,

      oracle11g2 apply database profile with password verification function in Password Management. But some DBA claims apply linux shell script to verify oracle account password during database connection.

      Please let me know which methods (database profile with verification function; linux shell script) is best?
      each methods benefit and disadvantage in security control? or more information

      Thanks

      newdba
        • 1. Re: compare database password verification both  database and Linux
          Brian Bontrager
          You seem to be asking for a comparison of two unrelated things?

          The password verify function is used to enforce a desired level of password complexity when changing an Oracle password inside the database. It is not used when establishing a database connection.

          I don't see how a shell script could verify a database password as part of making a connection. That password is stored inside the database, so you have to connect to check it. The stored password hash is not a form that a shell script could use to verify anything.

          Perhaps I'm misunderstanding the question?
          • 2. Re: compare database password verification both  database and Linux
            592815
            Sorry, I means that linux shell script verify a database password password complexity at desired level. to replace oracle 11g2 profile with password verify function.


            Thanks
            Newdba
            • 3. Re: compare database password verification both  database and Linux
              Brian Bontrager
              OK that makes more sense.

              Benefits of the Oracle password verify function:
              It works within the database - no need to call out to shell.
              It is integrated with the database's password change functionality and authentication process.

              Disadvantages of Oracle password verify function:
              Any I can think of are also disadvantages of an external script, such as you need to protect and verify your code to ensure it cannot be modified to silently log passwords to some other location.

              Benefits of a shell script:
              If you are an expert in shell scripting, but not PL/SQL, this will appear faster to develop (but see below).

              Disadvantages of a shell script:
              You cannot enforce use of the shell script. None of the usual password change methods in Oracle call it or know it exists. Any user can use the sqlplus "password" command and circumvent your password validation shell script.
              A shell script might be faster to write at first, but then you still have to write code inside Oracle to call that script which exists outside the database. This is generally more complex code than you would have to write for a password complexity function.
              • 4. Re: compare database password verification both  database and Linux
                592815
                Thanks for your advise!
                If consultant does this task for us. which methods is best and reason?

                Edited by: Oradb on Oct 31, 2012 1:53 PM
                • 5. Re: compare database password verification both  database and Linux
                  JustinCave
                  Oradb wrote:
                  If consultant does this task for us. which methods is best and reason?
                  It doesn't matter who is implementing it.

                  If a shell script is enforcing password complexity, you would have to guarantee that no application ever did a password change without calling the script. That seems highly unlikely. Someone will want to change their password using SQL*Plus. Someone will want to change their password via TOAD or some other GUI. Someone will want to change their password using some other front end. A password verification function in the database will be invoked in all of these cases. A shell script will not. Unless you have an exceedingly expensive consultant that is an expert in shell scripting who has no experience whatsoever with PL/SQL and unless you can guarantee that no one today or in the future will want to use any of the established APIs to change their password rather than calling the shell script, use a password verification function.

                  Of course, if you want to get really technical, you could create a password verification function that, in turn, calls out to an operating system shell script. That would be a hugely overcomplicated architecture but it can be done.

                  Justin