We are getting ” IBM DB2 Universal Database Known Default Password Vulnerability” alert in PCI scans. To fix this we should change the DB2 default password.
anybody from DBA can help us on this?
For more information on this please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0051
DB2 does not store user authentication credentials, but uses external systems for authentication - DB2 For Linux, Unix, Windows (LUW) by default uses underlying OS for auth.
If you have Linux installation, SSH to machine and check if "db2inst1" user exists in OS. If so, just change its password (sudo passwd db2inst) in OS shell. Of course this is only default user name, your actual may differ (but on Linux it will be the same as DB2 instance name, hence the warning of scanner).
The "use underlying OS for authentication" is default on Windows machine as well, but db2 sysadmin user name may differ from instance name.
Related
I stumbled upon PostgreSQL installations, where there is a PostgreSQL user with the same name as an operating system (Linux) user. If you are logged into the operating system as such a user, you can usually login to psql without specifying a username and password as this user.
How does this work? Is this a pure convention, or is there a special mechanism in PostgreSQL for this kind of behavior?
There are cases, where no corresponding PostgreSQL user is present for an operating system user. In this case, how do I create one, that can be logged into without having to specify username and password once I am logged into the operating system as this user?
There are several mechanisms. I don't know what makes a mechanism a special one, though.
The client always sends a username to the server. If you don't specify one to use then libpq-based clients look up the operating system name and use that. Some non-libpq-based clients might adopt the same convention.
For not requiring a password, maybe local connections are set to 'trust' in pg_hba.conf, in which case anyone else on the same machine can also log in to PostgreSQL as you, just by specifying your username to use, such as with -U martinw. Or maybe a password is required, but it is provided automatically via .pgpass file or via PGPASSWORD env variable, but if you set that up presumably you would remember doing so. Or maybe you have local connections set to peer in pg_hba, in which case the db server asks the OS "who is on the other end of this socket?" and verifies the answer matches the requested username (this is a common default setup, for example on Ubuntu Linux) or if a pg_ident map is in use, then it verifies the response system username is allowed to log in as the specified db username.
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-PASSFILE
create a pgpass file: vim ~/.pgpass
fill your credentials: hostname:port:database:username:password
exit file. and change ~/.pgpassfile access permission:
https://www.postgresql.org/docs/current/libpq-pgpass.html
chmod 0600 ~/.pgpass
If your linux user is the same as one of the pgpassfile user, then just type psql to connect to database.
i am using pg lib in strapi application, where initially it creates postgres connection using correct postgresql username(postgres), database name(strapi_db) and password(postgres) but after login it changed it to connect using my windows 10 username(rayappan.a, and database as rayappan.a). it seems strange to me because i never configured anywhere to use my windows credentials for POSTGRESQL connection. please any one tell me how to fix username connection issue
Regards,
Rayappan Antoniraj
Take a look into https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING . It states that username:
Defaults to be the same as the operating system name of the user running the application."
The database name:
Defaults to be the same as the user name.
So it seems a new connection with parameters not set is made.
I'm trying setup Firebird 2.5 with FlameRobin 0.9.3, installed on Windows 10 64bit. The .fdb files are on the same disk of the Firebird machine and the FlameRobin program.
I'm trying to connect EMPLOYEE.FDB file with FlameRobin getting this error.
My settings for this database file below.
I never changed my sysdba password. Is it due to this error ODBC driver?
Edit: I've created a new database on ISQL to try. Username: SYSDBA Password: 31202333
But I am getting same error on FlameRobin.
The error means that your username does not exist (unlikely for SYSDBA), or the password is incorrect*. In Firebird, passwords are system wide, not per database. Check your password (default installations of Firebird on Windows use the password 'masterkey'). Otherwise try resetting the password using gsec.
The fact it might work with ISQL, is that you're using a local path, which may cause ISQL to use Firebird embedded mode, and in embedded mode on Windows, the password is ignored (on the assumption that if you have filesystem access to the database file, you are allowed to open database). I guess that, if instead of 'D:\sq\sample.fdb', you'd use 'localhost:D:\sq\sample.fdb' in ISQL, you would get the same error as in FlameRobin.
*: In Firebird 3 and later it can also mean that the user does not exist for the authentication plugins tried, even though the user may exist for a different authentication plugin.
I am working on an open source application that has PostgreSQL as its default DBMS. Now when I install it on my system, its configuration is so that PostgreSQL also gets installed with it.
My problem is with getting access to the installed PostgreSQL database. The database that gets created during installation is named iviewdb.
I read at many forums that the default superuser is postgres, but when I try to get access to the database using this username through a command prompt, it prompts me for password that I don't have.
I wanted to know from where in the PostgreSQL installation directory
the default username and password with the port number to access the database is stored. I have even tried changing the pg_hba.conf file, but that creates a problem with the application and it won't start then.
How can I find the password for this database? I am working in a Windows environment.
The password isn't stored in an easily recoverable manner, and if you change the password, the application may not be able to access the database properly. You may find the password in the application settings or documentation, though.
If you decide to risk changing the postgres user's password, stop the application and PostgreSQL service, and then edit pg_hba.conf. Add (or change if it already exists) a line (if it doesn't exist, add it before any other "host...." lines):
host all all 127.0.0.1/32 trust
And restart the PostgreSQL service. That should give you access from localhost, where you could change the postgres user's password, or add yourself another user with the permissions you want. Then set the pg_hba.conf file back the way it was and restart.
I've encountered this similar problem, and I noticed that the default being set for PostgreSQL upon installation in my case is as follows:
username = postgres
password = ' '
I am creating a NTService Application which use an Embeded Firebird database. When i configure the service run as Administrator account, It works ok. But when i run service as default Local System Account, I get below error.
no permission for read/select access to TABLE XXXX
Why is that ? I belive there is no system tables or etc in Firebird single sql file. And Windows xp dont have linux like file permissions. Please help.
Regards
J
While the embedded version doesn't authenticate users (doesn't check the username and password against security2.fdb) it still checks the SQL privileges of the user. This means that you still have to grant proper user rights to the username and/or role you're using when accessing the database. It probably worked for the Administrator account because in version 2.1, members of administrative Windows groups were mapped to SYSDBA by default (and thus had all rights on all databases). This changed in version 2.5, you now have to manually configure this (see release notes).