Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Password Verification Function
        
(Message started by: Pete Finnigan on Sep 20^th, 2007, 7:49pm)

Title: Password Verification Function
Post by Pete Finnigan on Sep 20^th, 2007, 7:49pm

Hi,

Presently, I'm exploring Oracle's password management capabilities. I am attempting to check the strength of a password. I know that I need to create a function (ie. verify_function) in which the checks on the composition/structure of the password is to be performed.

I've attempted to create a package that contains this function, verify_function. The other functions in the package are called from verify_function.

I've set this function as the value of the password verification parameter in a particular profile being used.

PASSWORD_VERIFY_FUNCTION verify_function;

These activities were performed in the SYS schema.

However, verify_function function is not being found when I attempt to change the password of a user attached to the particular profile...

Is it possible to set this up as I did ???.....having the verify function in a package ??

Any feedback will be welcome....thanka alot..

Title: Re: Password Verification Function
Post by Pete Finnigan on Sep 21^st, 2007, 9:20am

Hi,

Can you show us the exact statement you used to attach the function to the profile? - from your simple example you dont qualify the package name but you say the function is in a package?

cheers

Pete

Title: Re: Password Verification Function
Post by Pete Finnigan on Sep 25^th, 2007, 3:02pm

Hi,

I apologize for my tardy reply. I've been away for a short period. As requested....

ALTER PROFILE DEFAULT LIMIT
....
....
PASSWORD_VERIFY_FUNCTION Password_Verification.verify_function(username, password, old_password);

The package declarations are as follows :-

CREATE OR REPLACE PACKAGE Password_Verification AS

FUNCTION verify_function (username IN varchar2, password IN varchar2, old_password IN varchar2)

RETURN boolean;
...
...

CREATE OR REPLACE PACKAGE BODY Password_Verification AS

FUNCTION verify_function
(username IN varchar2, password IN varchar2, old_password IN varchar2)
...
...
------------------------
The package was compiled/created successfully.

When I attempt to execute the ALTER PROFILE statement, the following error is returned :-

ora-02376 - Invalid or redundant resource.

I assume the package has not been recognized or is deemed invalid ???

I'm not a DBA.....just working on this particular aspect...new to packages etc..

I'm testing to determine what's the source of the problem...the package..the function within the package....not sure.

Title: Re: Password Verification Function
Post by Pete Finnigan on Oct 9^th, 2007, 5:30pm

Any update on this thread? I am doing the exact same thing and experiencing the very same result. Must the password_verify_function be a standalone function?

Title: Re: Password Verification Function
Post by Pete Finnigan on Oct 9^th, 2007, 9:19pm

I haven't had any feedback on this issue. I'm not sure if the password verification function MUST exist as stand-alone....doesn't seem to be working if a package is used. I would appreciate any assistance if you are successful.

Title: Re: Password Verification Function
Post by Pete Finnigan on Oct 9^th, 2007, 11:54pm

According to OracleMetalink Note:241621.1

You cannot use the syntax <package>.<function> or <schema>.<package>.<function> to specify the value for PASSWORD_VERIFY_FUNCTION in ALTER PROFILE / CREATE PROFILE commands because these are not valid syntaxes. You must specify a standalone function owned by SYS .

Title: Re: Password Verification Function
Post by Pete Finnigan on Oct 10^th, 2007, 12:12am

Looks like the syntax demands a function. That function can call a function in another package

Code:

create function vf (username IN varchar2, password IN varchar2, old_password IN varchar2) RETURN boolean
is
begin
return Password_Verification.verify_function(username,password,old_password);
end;

Or you can use subprocedures/functions in a function.

Code:

create function vf (username IN varchar2, password IN varchar2, old_password IN varchar2)
RETURN boolean
is
function vf1 return boolean is
begin
return true;
end;
begin
return vf1;
end;

Title: Re: Password Verification Function
Post by Pete Finnigan on Oct 10^th, 2007, 8:42am

Thanks for your reply Gary, I opened this thread sometime ago intending to reply and then promptly forgot. Thanks again Gary.

cheers

Pete

Title: Re: Password Verification Function
Post by Pete Finnigan on Oct 10^th, 2007, 3:06pm

I'm thankful for the feedback provided on this issue. I believe I've tried using the stand-alone function that calls a function in another package.....can't remember what the result was...need to do it again.....
However, could you indicate if you've been successful using this approach ? Thanks.

Title: Re: Password Verification Function
Post by Pete Finnigan on Oct 11^th, 2007, 9:21am

Hi,

Yes i have used an approach that uses a standalone function owned by SYS that then calls other functions in a package.

cheers

Pete

Title: Re: Password Verification Function
Post by Pete Finnigan on Nov 26^th, 2007, 9:02pm

You probably have your answer already but if not, here's the approach I use:

As sysdba:
CREATE OR REPLACE FUNCTION pwd_verify
(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
...
...
END;

Then you can assign it to the profile either as you create the profile or afterwards.

Here's the post profile creation format:
ALTER PROFILE default LIMIT PASSWORD_VERIFY_FUNCTION pwd_verify;

An interesting note is I modified my function to require a minimum of 15 character passwords. OEM does not seem to pick it up very well.