Forum Stats

  • 3,741,779 Users
  • 2,248,475 Discussions
  • 7,861,990 Comments

Discussions

How to update the password hash version for SYS?

charlesdschultz
charlesdschultz Member Posts: 26 Blue Ribbon
edited Jun 7, 2019 3:12PM in Database Security - General

I filed an SR over 4 months ago, and Oracle Support has been UTTERLY useless in trying to tell us how to update the version of the password hash for the SYS user. I am actually amazed at how bad Oracle Support has been.

Currently, our SYS user shows a 10g password version. We wish to update/upgrade the version to 12c (and later versions once we deploy 19c). "alter user sys identified by ...." does not do the trick. orapwd does not do the trick. We have tried playing around with the sqlnet.ora .ALLOWED_LOGON_VERSION* parameters (both SERVER and CLIENT), as well as the the database sec_case_sensitive_logon and REMOTE_LOGIN_PASSWORDFILE parameters. What have we missed?

Database: OSEE 12.2

OS: Solaris 11

$ sqlplus / as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Fri May 24 08:26:42 2019

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

Connected to:

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> select password_versions from dba_users where username = 'SYS';

PASSWORD_VERSIONS

-----------------

10G

Tagged:
Emad Al-MousaandrewmyIrisSun-Nokia

Answers

  • Gaz in Oz
    Gaz in Oz Member Posts: 3,778 Bronze Crown
    edited May 24, 2019 1:47PM

    The documentation states you need to EXPIRE the user's password and then login as that user and get prompted to change it. Follow this if you can not currently login as sys with password.

    Database Security Guide - Oracle 12.2

    See the walk though example an try that on sys.

    NOTE: Step 2.b says "restart the database", I think they meant "restart the listener"!

    This should give user 10g 11g 12c dba_users.password_versions.

    ...and then follow this if you want sys to be exclusively 12c:

    Database Security Guide - Oracle 12.2 ...

    Emad Al-Mousaandrewmy
  • Emad Al-Mousa
    Emad Al-Mousa Member Posts: 716 Bronze Trophy
    edited May 25, 2019 5:06PM

    Hi,

    to add to what Gaz stated:

    SYS password can only be changed through password file starting from Oracle 12cR2

    https://databasesecurityninja.wordpress.com/2019/04/01/changing-sys-password-in-oracle-12cr2-and-18c/

    are you sure you connected from the client (sqlplus , sqldeveloper, TOAD,....etc) using SYS account to the database ? This fresh connection should update the password version with sqlnet.ora .ALLOWED_LOGON_VERSION=12

    Regards,

  • charlesdschultz
    charlesdschultz Member Posts: 26 Blue Ribbon
    edited Jun 7, 2019 3:12PM

    Because I was not finding any solutions that answered my question, I tested a direct update to dba_users in a test database. This was the only way I could find to explicitly update the password hash for SYS.

    Having said that, it finally dawned on me what the documentation is trying to say; I wish the documentation would be a little more clear. Ultimately, the orapw file becomes the authoritative source of the SYS password. It doesn't matter if my SYS password is old or new. In fact, I can have a null password as seen from dba_users - doesn't matter because the real password is in the orapw file.

    IrisSun-Nokia
Sign In or Register to comment.