OraFAQ Forum: Marketplace » McPwfile: check your Oracle password files

Home » Other » Marketplace » McPwfile: check your Oracle password files (8iR1 to21c)

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

McPwfile: check your Oracle password files [message #651191]

Thu, 12 May 2016 09:12

Michel Cadot
Messages: 68728
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

I was asked to create something (write a script?) which will allow to detect modification in Oracle password files.

My first (obvious) idea was to create a new account in each database (to avoid using a current privileged one) with only 2 privileges: CREATE SESSION and SELECT on V$PWFILE_USERS, then create a shell script which will connect to each database with this account and query this later view spooling the result in a file and make a "diff" with the previous one.
Well, I did not like the idea to create an account who has the privilege to name all accounts with SYSDBA privilege or the like, just a new security hole for me. And the idea to have to connect to each database...

My second idea was to make a "binary diff" on all password files with the previous ones saved somewhere. I don't know if you have some day look at a "binary diff" report, hard to say it is easy to read.
In addition, due to the policy to change the passwords quite frequently, all files are highligthed at each check. Without mentioning that a SYSOPER account getting a SYSDBA privilege is a change in a single bit in the file.

So I had to find something else and so the program I present you here: McPwfile.
Its help is the following one:

C:\>.\McPwfile -h

McPwfile Utility by Michel Cadot: Version 2021.12.07 on 07-DÉC.-2021 09:56:44

Copyright (c) Michel Cadot, 2016-2021. All rights reserved.

Usage: McPwfile.exe { -h | [-dir <directory>] [-psw] [-v] <pwfile> [...] }

with
  -dir <directory>  Gives the default directory if not given in file names;
                      default is current working directory.
  -psw              Displays the authentication types and password hash values.
  -v                Verbose mode; displays informative messages, warnings,
                      and disabled entries; "-v" implies "-psw"
  <pwfile>          Gives an Oracle password file; wildcard characters are allowed;
                    several password file can be given.

The program is provided as it is without any guarantees or warranty. Although the
author has attempted to find and correct any bugs in this free program, the author
is not responsible for any damage or losses of any kind caused by the use or misuse
of the program. The author is under no obligation to provide support, service,
corrections, or upgrades to this program.

You can freely use, copy and distribute this program but you can't modify it without
the permission of the author you can contact on http://www.orafaq.com
You can post your comments, ask for improvements, report bugs... on the program at
http://www.orafaq.com/forum/t/200886/
I encourage you to subscribe to this topic (link at top of the page) if you want to
be informed when a new version is released.

You can give a list a password files, wildchar characters are allowed. You can give a specific directory for the files with no path or relative path using the "-dir" parameter.
Here's an example of the output:

C:\>.\McPwfile -dir D:\ PWDMIKB2.ora PWDtst1212c.ora

McPwfile Utility by Michel Cadot: Version 2021.12.07 on 07-DÉC.-2021 17:19:26

Copyright (c) Michel Cadot, 2016-2021. All rights reserved.

Checking file D:\PWDMIKB2.ora
  Creation date..... 08-mai-2016 19:17:07
  Last modification. 27-déc.-2015 20:55:56
  Size.............. 1.5 KB
  Detected format... 11g
  Valid entries
    SYS
      privilege. SYSOPER SYSDBA
    MICHEL
      privilege. SYSDBA
    U
      privilege. SYSDBA
    SCOTT
      privilege. SYSDBA
    NTD
      privilege. SYSOPER SYSDBA SYSASM

Checking file D:\PWDtst1212c.ora
  Creation date..... 08-mai-2016 19:16:30
  Last modification. 08-mai-2016 19:16:30
  Size.............. 7.5 KB
  Detected format... 12.1
  Valid entries
    SYS
      privilege. SYSOPER SYSDBA
    SYSDG
      privilege. SYSDG
    SYSBACKUP
      privilege. SYSBACKUP
    SYSKM
      privilege. SYSKM

You can ask for the authentication types and password hash values using the "-psw" option.
The "verbose" option (-v) which implies "-psw" option, gives you some more information:
- less useful information about the file
- warning messages (some inconsistencies the program detects)
- disabled entries in the file
- starting with 12.1.0.2, SHA-2 verifier.
This may help you to explain some strange things you may encounter and warn you about Oracle bugs or hacked password files.

C:\>.\McPwfile -v -dir D:\ PWDMIKL.ora

McPwfile Utility by Michel Cadot: Version 2021.12.07 on 07-DÉC.-2021 17:21:49

Copyright (c) Michel Cadot, 2016-2021. All rights reserved.

Checking file D:\PWDMIKL.ora
  Creation date..... 04-déc.-2021 18:52:37
  Last modification. 06-déc.-2021 18:04:38
  Size.............. 41 KB 
  Detected format... 12.2
  Data block........ size: 2560 bytes, nb: 16
  Options........... allow_sysdba case_sensitive 
  Entries
    SYS
      authentication. PASSWORD
      password....... S:134EEA28D27C82114C3592F4E3EB3765C14CE961352D6FB51DE3EB1627CF
                      T:91A4BFA49092D83FC6466EA8CC061903DDC68BCF15CA5F45E16B4B0343B87AE569F16A4612A1A66C
                        CA10FBEC46049DE104D01AE9426F662CAECF9D9A9D5DD9C6F1FF3F01801AF7F06EA4C5EDD6EF2CAA
      privilege...... SYSOPER SYSDBA 
    SYSDG
      authentication. NONE
      privilege...... SYSDG 
    SYSBACKUP
      authentication. NONE
      privilege...... SYSBACKUP 
    SYSKM
      authentication. NONE
      privilege...... SYSKM 
    C##TEST_EXTERN
      authentication. EXTERNAL
      external name.. KerberosTestExtern#@michel.com
      privilege...... SYSOPER 
    C##TEST_GLOBAL
      authentication. GLOBAL
      global name.... cn:TestGlobal#
      privilege...... SYSOPER 
    C##TEST_NOAUTH
      authentication. NONE
      privilege...... SYSOPER 
    C##TEST_NORMAL
      authentication. PASSWORD
      password....... S:848C12F8EAD097ED799CFCF020280D0475C6E09874B85C370281571B30AA
                      T:BC9693C40547F9272694B0E018C654056341A27CE1E1E2E09F31B001BEED9130B146230DD6AA9F16
                        828047B30DE48E55E6DA73D55F847FD0F394A9F9A48C85E4D5F581B132645177779B5AC27A7F20FA
      privilege...... SYSOPER

The program has been tested with Windows and Linux password files, for Oracle versions from 8iR3 (8.1.7) to 21c (21.3). There may be some differences with other Unix flavors. If you have any problem don't hesitate to contact me and I'll fix the program.

Latest version: 2021.12.07, download in orapwd wiki page.

MD5:   ec407ead388927528b2cb9fd2f8c5a2b
SHA-1: a5135b9cce18359c8a739ccf5ed470783ab76af4

[Updated on: Tue, 07 December 2021 10:41]

Report message to a moderator

Re: McPwfile: Check your Oracle password files [message #665931 is a reply to message #651191]

Tue, 03 October 2017 04:19

Michel Cadot
Messages: 68728
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

New features are:

Full support of 12cR1 release (previously 12.1.0.1 only)
Full support of 12cR2 release (12.2.0.1)

Reminder:

11g introduces SHA-1 passwords and case sensitivity
12.1.0.1 introduces long user names (127 bytes), and SYSBACKUP, SYSDG and SYSKM privileges
12.1.0.2 introduces SHA-2 passwords
12.2.0.1 introduces external names and removes <11g passwords (even with 12.1 format)

[Updated on: Sun, 15 October 2017 04:08]

Report message to a moderator