[jira] [Commented] (DERBY-5648) Unclear password expiry warning when using separate credentials db

Mon, 12 Mar 2012 23:58:08 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-5648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13228250#comment-13228250
 ] 

Knut Anders Hatlen commented on DERBY-5648:
-------------------------------------------

I agree that there's no strong reason to disallow SYSCS_MODIFY_PASSWORD 
completely in databases that doesn't use NATIVE::LOCAL.

I think SYSCS_MODIFY_PASSWORD, SYSCS_RESET_PASSWORD and SYSCS_DROP_USER should 
fail if the user doesn't exist locally. It is a valid concern that a non-DBO 
user can use this to fish user names. However, that non-DBO user must be 
granted some admin rights by the DBO before, so it must be a trusted user in 
the first place. Also, someone with those rights has a much easier way to probe 
the user database: reset the password of a user account and then log on using 
the fresh credentials.
                
> Unclear password expiry warning when using separate credentials db
> ------------------------------------------------------------------
>
>                 Key: DERBY-5648
>                 URL: https://issues.apache.org/jira/browse/DERBY-5648
>             Project: Derby
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions: 10.9.0.0
>            Reporter: Knut Anders Hatlen
>            Priority: Minor
>
> If you log on to a database (other than the credentials db) and your password 
> is about to expire, you'll be advised to change your password using the 
> SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure. However, the warning message does 
> not say you need to log on to the credentials db to change your password. 
> This may lead the user to modify the password in the current database instead 
> of the credentials database, thinking everything is well.
> ij(CONNECTION1)> connect 'jdbc:derby:otherdb;user=test;password=abc';
> WARNING 01J15: Your password will expire in 0 day(s). Please use the 
> SYSCS_UTIL.SYSCS_MODIFY_PASSWORD  procedure to change your password.
> ij(CONNECTION2)> CALL SYSCS_UTIL.SYSCS_MODIFY_PASSWORD('new-password');
> 0 rows inserted/updated/deleted
> ij(CONNECTION2)> connect 'jdbc:derby:otherdb;user=test;password=new-password';
> ERROR 08004: Connection authentication failure occurred.  Reason: Invalid 
> authentication..
> Even though SYSCS_MODIFY_PASSWORD succeeds, the password has not been updated 
> in the credentials db.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to