Oracle 8.1.6 Alter User command fails with VERIFY_FUNCTION

Oracle 8.1.6 Alter User command fails with VERIFY_FUNCTION

Post by Michael Dod » Fri, 08 Jun 2001 08:01:47



Try this :

Opt to use the VERIFY_FUNCTION in your profile.
as a normal user (no ALTER ANY USER)

SQL> create user testing identified by testing_1;

User created.

SQL> grant connect to testing;

Grant succeeded.

SQL> connect testing/testing_1;
Connected.
SQL> alter user testing identified by qaz_1qaz;
alter user testing identified by qaz_1qaz
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed

SQL> connect system/password;
Connected.

SQL> grant alter user to testing;

Grant succeeded.

SQL> connect testing/testing_1;
Connected.
SQL> alter user testing identified by qaz_1qaz;

User altered.

SQL> alter user system identified by qaz_1qaz;

User altered.

SQL>

The problem isn't with the password - the problem is with the use of
ALTER USER without having ALTER USER permissions granted to the user.
Once that is granted the user can change any user he or she wants to.
That's the real problem here.   The verify function prohibits the use
of the ALTER USER command in 8.1.6 and higher.

Does anyone have a solution?   I am looking at avoiding the use of the
verify_function.   Oracle suggests using SQL*Plus or the OCI call in a
DLL.  That is not satisfactory.   We need to have other solutions to
this.

 
 
 

Oracle 8.1.6 Alter User command fails with VERIFY_FUNCTION

Post by Daniel A. Morga » Fri, 08 Jun 2001 14:56:30



> Try this :

> Opt to use the VERIFY_FUNCTION in your profile.
> as a normal user (no ALTER ANY USER)

> SQL> create user testing identified by testing_1;

> User created.

> SQL> grant connect to testing;

> Grant succeeded.

> SQL> connect testing/testing_1;
> Connected.
> SQL> alter user testing identified by qaz_1qaz;
> alter user testing identified by qaz_1qaz
> *
> ERROR at line 1:
> ORA-28003: password verification for the specified password failed

> SQL> connect system/password;
> Connected.

> SQL> grant alter user to testing;

> Grant succeeded.

> SQL> connect testing/testing_1;
> Connected.
> SQL> alter user testing identified by qaz_1qaz;

> User altered.

> SQL> alter user system identified by qaz_1qaz;

> User altered.

> SQL>

> The problem isn't with the password - the problem is with the use of
> ALTER USER without having ALTER USER permissions granted to the user.
> Once that is granted the user can change any user he or she wants to.
> That's the real problem here.   The verify function prohibits the use
> of the ALTER USER command in 8.1.6 and higher.

> Does anyone have a solution?   I am looking at avoiding the use of the
> verify_function.   Oracle suggests using SQL*Plus or the OCI call in a
> DLL.  That is not satisfactory.   We need to have other solutions to
> this.

This is a known and very well reported "feature".

There is no solutions and my understanding is that this is by design.

Daniel A. Morgan

 
 
 

Oracle 8.1.6 Alter User command fails with VERIFY_FUNCTION

Post by Michael Dod » Sat, 09 Jun 2001 10:44:18


On Wed, 06 Jun 2001 22:56:30 -0700, "Daniel A. Morgan"

Are there any work arounds for this.   We have to meet an audit point,
this issue has been causing us a lot of headaches.   In the auditor
opinion - we upgraded to a less secure version of Oracle (going from
8.1.5 to 8.1.6).

I am thinking of some work around, such as a database trigger to force
users to have their password meet certain criteria.  Anything out
there?

 
 
 

Oracle 8.1.6 Alter User command fails with VERIFY_FUNCTION

Post by Brian Peaslan » Sat, 09 Jun 2001 23:06:26


I believe that there was an article in Oracle Magazine or something on
this particular problem. According to the tip, one needs to create a
public synonym for the verification function. I'd like to get this to
work as well since I can't use the OCI call or the SQL*Plus password
command in Oracle Forms.

Thanks,
Brian

> On Wed, 06 Jun 2001 22:56:30 -0700, "Daniel A. Morgan"


> Are there any work arounds for this.   We have to meet an audit point,
> this issue has been causing us a lot of headaches.   In the auditor
> opinion - we upgraded to a less secure version of Oracle (going from
> 8.1.5 to 8.1.6).

> I am thinking of some work around, such as a database trigger to force
> users to have their password meet certain criteria.  Anything out
> there?

--

====================================
Brian Peasland

Raytheon at USGS EROS Data Center
Mundt Federal Building
Sioux Falls, SD 57198

 
 
 

1. VERIFY_FUNCTION vs ALTER USER, ORA-28003

Apparently Oracle added a nice feature with 8i (?) allowing us to
implement more strict password choices - by setting and using the
VERIFY_FUNCTION we can now force users to make better choices.

But Oracle never just gives you something, apparently they took away
the ability for the User to set their password using the ALTER USER
command.    They can use the PASSW(ord) command in SQL*Plus, or create
a DLL to call the Oracle OCI function OCI_changepassword (sp?).
Neither of these are acceptable solutions for us - we don't have users
that have access to SQL*Plus and we don't want to support a C++
program.

What are other folks doing to get around this mixed blessing?

2. Datacontrol, dblist and dbgrid

3. alter database mount failed HPUX 11.0 ORACLE EE 8.1.5

4. How good is D3 with Access 2.0 database??

5. Alter an Oracle user name

6. Help with SQL PLUS message 'Input truncated to ... characters'

7. ALTER USER diff Oracle7 vs Oracle 8

8. ISQL & LINUX

9. alter user to change user's password returns pg_shadow: Permission

10. No response from oracle adodb call that updates User Password via an Alter User Command.

11. User / System DSN fails to connect Oracle Database using Microsoft ODBC for Oracle

12. Oracle and ADO command.execute- Create Trigger Fails