【密码】Oracle用户密码系列
1.1BLOG文档结构图
1.2前言部分
1.2.1导读和注意事项
各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知道的知识,~O(∩_∩)O~:
①用户的9种状态含义(重点)
②如何解锁账户
③如何修改密码无效状态
⑥11g密码大小写问题
⑦ 11g密码延迟验证
⑧密码复杂性校验
Tips:
①本文在itpub(http://blog.itpub.net/26736162)、博客园(http://www.cnblogs.com/lhrbest)和微信公众号(xiaomaimiaolhr)上有同步更新。
②文章中用到的所有代码、相关软件、相关资料及本文的pdf版本都请前往小麦苗的云盘下载,小麦苗的云盘地址见:http://blog.itpub.net/26736162/viewspace-1624453/。
本文若有错误或不完善的地方请大家多多指正,您的批评指正是我写作的最大动力。
1.2.2本文简介
客户的一个账户密码过期了,但是客户设置了永不过期,问到我为什么。我当时觉得设置了永不过期那肯定是生效的,只是这个部分的内容忘得差不多了,当时还想到可能是resource_limit这个参数没有设置为TRUE的缘故,后来查了官方文档才知道并不是这个原因。于是下决心把这部分的内容系统学习一下,自己总结的内容分享给大家。
1.3使用profile管理用户口令
Oracle用户的状态是由密码来决定的,而Oracle中的密码是由PROFILE来配置的。PROFILE是口令限制、资源限制的命令集合。当建立数据库时,Oracle会自动建立名称为DEFAULT的PROFILE。当创建用户而没有指定PROFILE选项时,Oracle就会将DEFAULT分配给用户。
通过如下的命令可以查出与密码相关的PROFILE的值:
SELECT*
FROMDBA_PROFILES D
WHERED.PROFILE='DEFAULT'
AND(D.RESOURCE_NAMELIKE'%PASSWORD%'OR
D.RESOURCE_NAME='Failed_LOGIN_ATTEMPTS');
每个参数的含义如下所示:
lFailed_LOGIN_ATTEMPTS设定登录到Oracle数据库时可以失败的次数。一旦某用户尝试登录数据库的达到该值时,该用户的帐户就被锁定,只能由DBA能解锁。
lPASSWORD_LIFE_TIME设定口令的有效时间(天数),一旦超过这一时间,必须重新设口令。缺省为UNLIMITED。
lPASSWORD_REUSE_TIME许多系统不许用户重新启用过去用过的口令。该资源项设定了一个失效口令要经过多少天,用户才可以重新使用该口令,缺省为UNLIMITED。
lPASSWORD_REUSE_MAX重新启用一个先前用过的口令前必须对该口令进行重新设置的次数(重复用的次数)。
lPASSWORD_LOCK_TIME设定帐户被锁定的天数(当登录失败达到Failed_LOGIN_ATTEMPTS时)。
lPASSWORD_GRACE_TIME设定在口令失效前,给予的重新设该口令的宽限天。当口令失效之后回,在登录时会出现警告信息显示该天数。如果没有在宽限天内修改口令,口令将失效。
lPASSWORD_VERITY_FUNCTION该资源项允许调用一个PL/sql来验证口令。Oracle已提供该应用的脚本,为$ORACLE_HOME/rdbms/admin/utlpwdmg.sql。但是,用户可以制定自己的验证脚本。该参数的设定就是PL/sql函数的名称,缺省为NULL。
1.3.1修改密码为永不过期
| SYS@lhrdb> select username,account_status,EXPIRY_DATE,profile from dba_users where username = 'LHRSYS'; USERNAM ACCOUNT_STATUS EXPIRY_DATE PROFILE ------- ------------------------------- ------------------- ------------------------------ LHRSYS OPEN 2016-12-07 15:20:36 TESTPROFILE SYS@lhrdb>alter user lhrsys password expire; User altered. SYS@lhrdb> select username,profile from dba_users where username = 'LHRSYS'; USERNAM ACCOUNT_STATUS EXPIRY_DATE PROFILE ------- ------------------------------- ------------------- ------------------------------ LHRSYS EXPIRED 2016-12-02 16:36:24 TESTPROFILE SYS@lhrdb>ALTER PROFILE TESTPROFILE LIMIT PASSWORD_LIFE_TIME UNLIMITED; Profile altered. SYS@lhrdb> select username,profile from dba_users where username = 'LHRSYS'; USERNAM ACCOUNT_STATUS EXPIRY_DATE PROFILE ------- ------------------------------- ------------------- ------------------------------ LHRSYS EXPIRED2016-12-02 16:36:24TESTPROFILE SYS@lhrdb>SELECT NB.PASSWORD FROM USER$ NB WHERE NB.NAME ='LHRSYS'; PASSWORD ------------------------------ F809740420A44EFC SYS@lhrdb>ALTER USER LHRSYS IDENTIFIED BY VALUES 'F809740420A44EFC'; User altered. SYS@lhrdb> select username,profile from dba_users where username = 'LHRSYS'; USERNAM ACCOUNT_STATUSEXPIRY_DATE PROFILE ------- -------------------------------------------------- ------------------------------ LHRSYS OPEN TESTPROFILE SYS@lhrdb> |
1.3.2ACCOUNT_STATUS的九种状态
| SYS@lhrdb> SELECT * FROM USER_ASTATUS_MAP; STATUS# STATUS ---------- -------------------------------- 0 OPEN 1 EXPIRED 2 EXPIRED(GRACE) 4 LOCKED(TIMED) 8 LOCKED 5 EXPIRED & LOCKED(TIMED) 6 EXPIRED(GRACE) & LOCKED(TIMED) 9 EXPIRED & LOCKED 10 EXPIRED(GRACE) & LOCKED 9 rows selected. |
以上九种可以分为两大类:1.基本状态;2.组合状态。
前五种是基本状态:
0 OPEN
1 EXPIRED
2 EXPIRED(GRACE)
4 LOCKED(TIMED)
8 LOCKED
后四种是组合状态:
5 EXPIRED & LOCKED(TIMED)
6 EXPIRED(GRACE) & LOCKED(TIMED)
9 EXPIRED & LOCKED
10 EXPIRED(GRACE) & LOCKED
规律是这样的:后四种的组合状态可以通过状态号STATUS#获得它是哪两种状态的组合,例如10=2+8(10 EXPIRED(GRACE) & LOCKED = 2 EXPIRED(GRACE) + 8 LOCKED)。因此只要了解基本状态的含义其他便可无师自通。
这五种基本状态又可以分为三类:1.正常状态;2.锁定状态;3.密码过期状态。
1)OPEN表示用户处于正常状态。
2)用户被锁定状态,LOCKED和LOCKED(TIMED)两种状态都属于锁定状态
用户被锁定一般分为两种:一种是DBA显式的通过sql语句对用户进行锁定;另外一种是被动的锁定,例如默认情况下如果密码输入错误超过10次(这个限制是由PROFILE中的Failed_LOGIN_ATTEMPTS控制的,该信息可以通过DBA_PROFILES视图查询),用户将被锁定。
1.3.2.1锁定状态
一、LOCKED
显式锁定LHRSYS用户LOCKED状态演示
SELECTD.USERNAME,
D.ACCOUNT_STATUS,
D.LOCK_DATE,
D.EXPIRY_DATE,
D.PROFILE,
NVL(D.PASSWORD,
(SELECTNB.PASSWORDFROMUSER$ NBWHERENB.NAME=D.USERNAME))PASSWORD
FROMDBA_USERS D
WHERED.USERNAME='LHRSYS';
| SYS@lhrdb>ALTER USER LHRSYS ACCOUNT LOCK; User altered. SYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28000: the account is locked Warning: You are no longer connected to ORACLE. @> conn / as sysdba Connected. SYS@lhrdb> select username,d.lock_date from dba_users d where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS LOCK_DATE ------------------------------ -------------------------------- ------------------- LHRSYSLOCKED 2016-12-02 09:33:50 SYS@lhrdb>ALTER USER LHRSYS ACCOUNT UNLOCK; User altered. SYS@lhrdb> select username,d.lock_date from dba_users d where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS LOCK_DATE ------------------------------ -------------------------------- ------------------- LHRSYS OPEN |
二、LOCKED(TIMED)
输入10次错误密码后被动锁定LOCKED(TIMED)状态演示
| SYS@lhrdb> SELECT * FROM Dba_Profiles d WHERE d.profile='DEFAULT' AND D.resource_name LIKE '%Failed_LOGIN_ATTEMPTS%' ; PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ -------------------------------- -------- ------------------------------- DEFAULT Failed_LOGIN_ATTEMPTS PASSWORD 10 SYS@lhrdb> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-28000: the account is locked<<<<<<<<<------超过10次后用户被锁定 @> CONN / AS SYSDBA Connected. SYS@lhrdb> select username,d.lock_date from dba_users d where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS LOCK_DATE ------------------------------ -------------------------------- ------------------- LHRSYSLOCKED(TIMED) 2016-12-02 09:37:20 SYS@lhrdb> SYS@lhrdb> SYS@lhrdb>ALTER USER LHRSYS ACCOUNT UNLOCK; User altered. SYS@lhrdb> select username,d.lock_date from dba_users d where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS LOCK_DATE ------------------------------ -------------------------------- ------------------- LHRSYS OPEN |
1.3.2.2过期状态
用户密码过期状态,EXPIRED和EXPIRED(GRACE)两种状态都属于密码过期状态。
一、EXPIRED
密码是否过期是通过修改PROFILE中的PASSWORD_LIFE_TIME实现的,密码过期后还可以使用的天数是通过PROFILE中的PASSWORD_GRACE_TIME控制的。
关于密码过期我们也可以使用sql显式的去完成,简单演示一下。
| SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE ------------------------------ -------------------------------- ------------------- LHRSYS OPEN SYS@lhrdb> alter user lhrsys password expire; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE ------------------------------ -------------------------------- ------------------- LHRSYS EXPIRED 2016-12-01 16:29:01 SYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28001: the password has expired Changing password for lhrsys New password: Retype new password: Password changed Connected. LHRSYS@lhrdb> conn / as sysdba Connected. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE ------------------------------ -------------------------------- ------------------- LHRSYS OPEN |
下面通过修改系统的日期来演示:
| SYS@lhrdb> SELECT D.USERNAME, 2 D.ACCOUNT_STATUS, 3 D.LOCK_DATE, 4 D.EXPIRY_DATE, 5 D.PROFILE, 6 NVL(D.PASSWORD, 7 (SELECT NB.PASSWORD FROM USER$ NB WHERE NB.NAME = D.USERNAME)) PASSWORD 8 FROM DBA_USERS D 9 WHERE D.USERNAME = 'LHRSYS'; USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE PROFILE PASSWORD ------------------------------ -------------------------------- ------------------- ------------------- ------------------------------ ------------------------------ LHRSYS OPEN DEFAULT F809740420A44EFC SYS@lhrdb>create profile TESTPROFILE LIMIT password_life_time 5 password_grace_time0;<<<<<<<<<------这里将password_grace_time设置为0 Profile created. SYS@lhrdb>alter user LHRSYS profile TESTPROFILE; User altered. SYS@lhrdb> select username,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS OPEN TESTPROFILE2016-12-07 14:50:36 --修改系统时间 [root@orcltest ~]#date '12071450' Wed Dec 7 14:50:00 CST 2016 [root@orcltest ~]# 系统查询: SYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:50:19 SYS@lhrdb> conn LHRSYS/lhr Connected. LHRSYS@lhrdb> conn LHRSYS/lhr ERROR: ORA-28001: the password has expired Changing password for LHRSYS New password: Password unchanged Warning: You are no longer connected to ORACLE. @> conn / as sysdba Connected. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYSEXPIRED TESTPROFILE 2016-12-12 10:36:06 SYS@lhrdb> alter user LHRSYS identified by lhr; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYSOPEN TESTPROFILE 2016-12-12 14:52:54 |
二、EXPIRED(GRACE)
当设置了PASSWORD_GRACE_TIME以后,第一次成功登录后到口令到期后有多少天时间可改变口令,在这段时间内,帐户被提醒修改口令并可以正常登陆,account_status显示为EXPIRED(GRACE)。expired(grace)与locked(timed)是由系统的profile来进行控制的。
| SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS OPEN TESTPROFILE2016-12-07 14:09:09 SYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-02 14:09:32 SYS@lhrdb>ALTER PROFILE TESTPROFILE LIMIT password_grace_time 3; Profile altered. SYS@lhrdb> SELECT * 2 FROM DBA_PROFILES D 3 WHERE D.PROFILE = 'TESTPROFILE' 4 AND (D.RESOURCE_NAME LIKE '%PASSWORD%' OR 5 D.RESOURCE_NAME = 'Failed_LOGIN_ATTEMPTS'); PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ -------------------------------- -------- ---------------------------------------- TESTPROFILE Failed_LOGIN_ATTEMPTS PASSWORD DEFAULT TESTPROFILE PASSWORD_LIFE_TIME PASSWORD 5 TESTPROFILE PASSWORD_REUSE_TIME PASSWORD DEFAULT TESTPROFILE PASSWORD_REUSE_MAX PASSWORD DEFAULT TESTPROFILE PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT TESTPROFILE PASSWORD_LOCK_TIME PASSWORD DEFAULT TESTPROFILE PASSWORD_GRACE_TIME PASSWORD 3 7 rows selected. SYS@lhrdb> --修改系统时间 [root@orcltest ~]#date '12071408'<<<<<<<<<------14:09过期,我们设置到14:08分 Wed Dec 7 14:08:00 CST 2016 [root@orcltest ~]# 系统查询: LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:08:03 LHRSYS@lhrdb> conn lhrsys/lhr Connected. LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:09:06 LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:09:09 LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:09:11<<<<<<<<<------已过了密码有效期 LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYSOPEN TESTPROFILE2016-12-07 14:09:09<<<<<<<<<------但该用户的状态未改变,下面尝试第一次登陆 LHRSYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28002: the password will expire within 3 days<<<<<<<<<------第一次登陆后报错,但用户依然可以登陆,且EXPIRY_DATE已经变化 Connected. LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYSEXPIRED(GRACE) TESTPROFILE2016-12-10 14:09:34 <<<<<<<<<------再次查询状态,变为了EXPIRED(GRACE) 再次调整日期: [root@orcltest ~]# date '12081430' Thu Dec 8 14:30:00 CST 2016 LHRSYS@lhrdb> LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-08 14:30:12 LHRSYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28002: the password will expire within 2 days<<<<<<<<<------变为了2天 Connected. LHRSYS@lhrdb> 继续更改日期: [root@orcltest ~]# date '12101409' Sat Dec 10 14:09:00 CST 2016 [root@orcltest ~]# 查询: LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-10 14:09:07 LHRSYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28002: the password will expire within 0 days<<<<<<<<<------变为了0天 Connected. LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS EXPIRED(GRACE) TESTPROFILE2016-12-10 14:09:34 LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-10 14:09:39<<<<<<<<<------GRACE日期已过 LHRSYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28001: the password has expired Changing password for lhrsys New password: Password unchanged Warning: You are no longer connected to ORACLE. @> conn / as sysdba Connected. SYS@lhrdb> SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYSEXPIRED TESTPROFILE 2016-12-10 14:09:34 SYS@lhrdb>alter user LHRSYS identified by lhr; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYSOPEN TESTPROFILE2016-12-15 14:13:08 SYS@lhrdb> |
1.3.2.3组合状态
关于四种组合状态的解释
因为锁定的两种状态(LOCKED和LOCKED(TIMED))和密码过期的两种状态(EXPIRED和EXPIRED(GRACE))之间没有关系。因此他们之间可以任意组合,2×2=4,因此有四种组合状态:
5 EXPIRED & LOCKED(TIMED)
6 EXPIRED(GRACE) & LOCKED(TIMED)
9 EXPIRED & LOCKED
10 EXPIRED(GRACE) & LOCKED
一、EXPIRED & LOCKED
EXPIRED & LOCKED状态表示用户密码过期且同时处于锁定状态
| SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS OPEN 2016-12-07 15:02:56 SYS@lhrdb> SYS@lhrdb> alter user lhrsys password expire; User altered. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS EXPIRED 2016-12-02 15:11:12 SYS@lhrdb> alter user lhrsys account lock; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE ------------------------------ -------------------------------- ------------------- LHRSYS EXPIRED & LOCKED 2016-12-01 16:51:38 SYS@lhrdb> alter user lhrsys account unlock; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE ------------------------------ -------------------------------- ------------------- LHRSYS EXPIRED 2016-12-01 16:51:38 SYS@lhrdb> alter user lhrsys identified by lhr; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE ------------------------------ -------------------------------- ------------------- LHRSYS OPEN |
二、EXPIRED & LOCKED(TIMED)
EXPIRED & LOCKED(TIMED)状态表示用户密码过期后,错误密码尝试次数超过PROFILE中的Failed_LOGIN_ATTEMPTS的限制
| SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS OPEN SYS@lhrdb> alter user lhrsys password expire; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE ------------------------------ -------------------------------- ------------------- LHRSYS EXPIRED 2016-12-02 10:07:27 SYS@lhrdb> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> conn / as sysdba Connected. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYSEXPIRED & LOCKED(TIMED) 2016-12-02 10:07:27 2016-12-02 10:09:03 SYS@lhrdb> SYS@lhrdb> alter user lhrsys account unlock; User altered. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS EXPIRED 2016-12-02 10:07:27 SYS@lhrdb> alter user lhrsys identified by lhr; User altered. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS OPEN SYS@lhrdb> |
三、EXPIRED(GRACE) & LOCKED
EXPIRED(GRACE) & LOCKED状态表示用户在密码过期后的有效期内被DBA手工锁定。
| LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS OPEN TESTPROFILE 2016-12-07 14:39:20 LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:39:17 LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:39:25 LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS OPEN TESTPROFILE 2016-12-07 14:39:20 LHRSYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28002: the password will expire within 3 days Connected. LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS EXPIRED(GRACE) TESTPROFILE 2016-12-10 14:39:54 LHRSYS@lhrdb> alter user lhrsys account lock; User altered. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYSEXPIRED(GRACE) & LOCKED2016-12-10 14:39:542016-12-07 14:40:20 LHRSYS@lhrdb> alter user lhrsys account unlock; User altered. LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYSEXPIRED(GRACE) TESTPROFILE 2016-12-10 14:39:54 LHRSYS@lhrdb> alter user LHRSYS identified by lhr; User altered. LHRSYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS OPEN TESTPROFILE 2016-12-12 14:40:46 LHRSYS@lhrdb> |
四、EXPIRED(GRACE) & LOCKED(TIMED)
EXPIRED(GRACE) & LOCKED(TIMED)状态表示用户在密码过期后的有效期内,失败登录次数超过PROFILE中的Failed_LOGIN_ATTEMPTS的限制。
| SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS OPEN 2016-12-07 14:50:06 LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-02 14:50:13 修改系统日期: [root@orcltest ~]# date '12071450' Wed Dec 7 14:50:00 CST 2016 [root@orcltest ~]# 查询: LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:50:03 LHRSYS@lhrdb> select sysdate from dual; SYSDATE ------------------- 2016-12-07 14:50:12 SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS OPEN 2016-12-07 14:50:06 LHRSYS@lhrdb> conn lhrsys/lhr ERROR: ORA-28002: the password will expire within 3 days Connected. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYSEXPIRED(GRACE) 2016-12-10 14:50:21 LHRSYS@lhrdb> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-28000: the account is locked @> conn / as sysdba Connected. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYSEXPIRED(GRACE) & LOCKED(TIMED) 2016-12-10 14:50:212016-12-0714:53:30 SYS@lhrdb> alter user lhrsys account unlock; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS EXPIRED(GRACE) TESTPROFILE 2016-12-10 14:50:21 SYS@lhrdb> alter user LHRSYS identified by lhr; User altered. SYS@lhrdb> select username,EXPIRY_DATE from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS PROFILE EXPIRY_DATE ------------------------------ -------------------------------- ------------------------------ ------------------- LHRSYS OPEN TESTPROFILE 2016-12-1214:55:04 |
1.3.3在不知道用户密码的情况下如何更改密码
在Oracle中,若用户的密码变为锁定状态(LOCKED、LOCKED(TIMED))则DBA直接执行ALTER USER用户名ACCOUNT UNLOCK就可以解锁了。但是,如果用户的状态变成过期状态(EXPIRED、EXPIRED(GRACE)),则DBA必须要更改用户的密码账户才能重新使用。但有些时候,因为各种原因并不知道原密码的明文是什么,这时候可以有如下2种办法来更新密码。
1.3.3.1用原密码的密文来更改密码
在Oracle 10g中,DBA_USERS视图的PASSWORD字段提供了密码的密文形式,而在Oracle 11g中,该字段被弃用了,内容为空,但是在基表USER$中的PASSWORD字段依然有记录密文形式,所以可以通过如下的形式来获取密码的密文形式:
SELECTD.USERNAME,
(SELECTNB.PASSWORDFROMUSER$ NBWHERENB.NAME=D.USERNAME))PASSWORD
FROMDBA_USERS D
WHERED.USERNAME='LHRSYS';
另外,可以通过DBMS_MetaDATA.GET_DDL包或者expdp、exp命令来获取创建用户的语句从而获取密码的密文形式:
| SYS@lhrdb> set long 9999 SYS@lhrdb> SELECT DBMS_MetaDATA.GET_DDL('USER','LHRSYS') DDL_sql FROM DUAL; DDL_sql -------------------------------------------------------------------------------- CREATE USER "LHRSYS" IDENTIFIED BY VALUES 'S:853EA80BAE11F79D6946453F38059E30313FE84C96AE2EE4F3AA35A648BD;F809740420A44EFC' DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" SYS@lhrdb> SYS@lhrdb> |
获取了密码的密文后就可以用如下的命令来修改了,注意:使用密文的命令中多了一个values关键字:
| SYS@lhrdb> SYS@lhrdb>alter user LHRSYS identified by values 'F809740420A44EFC'; User altered. SYS@lhrdb> CONN LHRSYS/lhr@192.168.59.129/lhrdb Connected. LHRSYS@192.168.59.129/lhrdb> conn / as sysdba Connected. SYS@lhrdb>alter user LHRSYS identified by values 'S:853EA80BAE11F79D6946453F38059E30313FE84C96AE2EE4F3AA35A648BD;F809740420A44EFC'; User altered. SYS@lhrdb> CONN LHRSYS/lhr@192.168.59.129/lhrdb Connected. LHRSYS@192.168.59.129/lhrdb> |
这种情况下,虽然我们不知道原密码是什么,但可以用它的密文来更改密码,这样,在不知道原密码的情况下,既保持了密码不改变,又可以把expired的状态更改掉。
在MOS The Impact of PASSWORD_LIFE_TIME Database Profile Parameter Default to 180 Days on Network Charging and Control (文档ID 1543668.1)中搜到了如下的命令也可以直接获取密码:
SELECTsqlTEXT
FROM(SELECTNAME,
'alter user '||NAME||' identified by values '''||
PASSWORD||''';'sqlTEXT
FROMUSER$
WHERESPARE4ISNULL
ANDPASSWORdisNOTNULL
UNION
SELECTNAME,
'alter user '||NAME||' identified by values '''||SPARE4||';'||
PASSWORD||''';'sqlTEXT
FROMUSER$
WHERESPARE4ISNOTNULL
ANDPASSWORdisNOTNULL)
WHERENAME='LHRSYS';
| SYS@lhrdb> SELECT sqlTEXT 2 FROM (SELECT NAME, 3 'alter user ' || NAME || ' identified by values ''' || 4 PASSWORD || ''';' sqlTEXT 5 FROM USER$ 6 WHERE SPARE4 IS NULL 7 AND PASSWORD IS NOT NULL 8 UNION 9 SELECT NAME, 10 'alter user ' || NAME || ' identified by values ''' || SPARE4 || ';' || 11 PASSWORD || ''';' sqlTEXT 12 FROM USER$ 13 WHERE SPARE4 IS NOT NULL 14 AND PASSWORD IS NOT NULL) 15 WHERE NAME = 'LHRSYS'; sqlTEXT ------------------------------------------ alter user LHRSYS identified by values 'S:853EA80BAE11F79D6946453F38059E30313FE84C96AE2EE4F3AA35A648BD;F809740420A44EFC'; |
1.3.3.2直接更新USER$基表
不管用户的状态是什么,通过更新USER$表可以让用户处于OPEN状态:
| SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS EXPIRED 2016-12-02 10:40:09 SYS@lhrdb>UPDATE USER$ SET ASTATUS=0 WHERE NAME='LHRSYS'; 1 row updated. SYS@lhrdb>commit;<<<<<<<<<------及时提交 Commit complete. SYS@lhrdb> select username,lock_date from dba_users where username = 'LHRSYS'; USERNAME ACCOUNT_STATUS EXPIRY_DATE LOCK_DATE ------------------------------ -------------------------------- ------------------- ------------------- LHRSYS OPEN SYS@lhrdb> |
1.3.4user$.lCOUNT列记录了失败的登陆次数
登录失败,lcount加1;只要成功登录后,lcount栏位就会置0。
| SYS@lhrdb> select NAME,LCOUNT from user$ a WHERE a.NAME='LHRSYS'; NAME LCOUNT ------------------------------ ---------- LHRSYS 0 SYS@lhrdb> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. @> CONN LHRSYS/XXXX@192.168.59.129/lhrdb ERROR: ORA-01017: invalid username/password; logon denied @> conn / as sysdba Connected. SYS@lhrdb> select NAME,LCOUNT from user$ a WHERE a.NAME='LHRSYS'; NAME LCOUNT ------------------------------ ---------- LHRSYS 2 SYS@lhrdb> SYS@lhrdb> CONN LHRSYS/lhr Connected. LHRSYS@lhrdb> conn / as sysdba Connected. SYS@lhrdb> select NAME,LCOUNT from user$ a WHERE a.NAME='LHRSYS'; NAME LCOUNT ------------------------------ ---------- LHRSYS 0 SYS@lhrdb> |
另外,审计表也记录了登陆失败的信息:
SELECTd.username,d.timestamp,d.action_name,d.os_username,d.terminal
FROMDBA_AUDIT_TRAIL D
WHERED.RETURNCODE=1017
ANDD.USERNAME='LHRSYS'
ORDERBYd.timestampDESC;
1.3.511g密码区分大小写--sec_case_sensitive_logon
| Property |
Description |
| Parameter type |
Boolean |
| Default value |
true |
| Modifiable |
ALTER SYstem |
| Range of values |
true | false |
| Basic |
No |
从Oracle 11g开始,密码区分大小写,采用参数sec_case_sensitive_logon控制,该参数默认为TRUE。
SEC_CASE_SENSITIVE_logoN enables or disables password case sensitivity in the database.
Values:
true:Database logon passwords are case sensitive.
false:Database logon passwords are not case sensitive.
1.3.6密码延迟验证
从11g开始,如果一个用户使用不正确的密码尝试登录数据库,那么随着登录失败次数的增加,每次登录验证前延迟等待的时间也会增加。
通过设置EVENTS 28401可以屏蔽密码延迟验证:
| sql> ALTER SYstem SET EVENT = '28401 TRACE NAME CONTEXT FOREVER,LEVEL 1' ScopE = SPFILE; |
设置该事件后重启数据库即可。
| [oracle@orcltest ~]$ oerr ora 28401 28401,00000,"Event to disable delay after three Failed login attempts" // *Document: NO // *Cause: N/A // *Action: Set this event in your environment to disable the login delay // which will otherwise take place after three Failed login attempts. // *Note: THIS IS NOT A USER ERROR NUMBER/MESSAGE. THIS DOES NOT NEED TO BE // TRANSLATED OR DOCUMENTED. [oracle@orcltest ~]$ |
1.3.7哪些用户密码没有被修改过
Oracle在11g中对于安全方面进行了很大的改进,比如增加了密码大小写验证,增加了密码复杂度的验证等等。在Oracle 11g中还提供了一个视图DBA_USERS_WITH_DEFPWD用来指出那些用户的密码没有被修改过,仍然是数据库默认密码。Oracle并不是简单的监测是否密码被修改,而是检查密码是否修改为别的值,如果新密码和旧密码保持一致,那么即使密码被修改,这个用户仍然在DBA_USERS_WITH_DEFPWD视图中。
SELECT*FROMDBA_USERS_WITH_DEFPWD;
1.3.8密码复杂性校验
脚本位置:$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
| [oracle@orcltest ~]$ ll $ORACLE_HOME/rdbms/admin/utlpwdmg.sql -rw-r--r-- 1 oracle oinstall 11555 Aug 13 2006 /u02/app/oracle/product/11.2.0/dbhome_1/rdbms/admin/utlpwdmg.sql [oracle@orcltest ~]$ SYS@lhrdb> @?/rdbms/admin/utlpwdmg.sql Function created. Profile altered. Function created. SYS@lhrdb> |
该脚本中有如下的一段:
| ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 180 PASSWORD_GRACE_TIME 7 PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX UNLIMITED Failed_LOGIN_ATTEMPTS 10 PASSWORD_LOCK_TIME 1 PASSWORD_VERIFY_FUNCTION verify_function_11G; |
更改之后查看:
| SYS@lhrdb> SELECT * FROM Dba_Profiles d WHERE d.profile='DEFAULT'; PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ -------------------------------- -------- ---------------------------------------- DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED DEFAULT cpu_PER_SESSION KERNEL UNLIMITED DEFAULT cpu_PER_CALL KERNEL UNLIMITED DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED DEFAULT IDLE_TIME KERNEL UNLIMITED DEFAULT CONNECT_TIME KERNEL UNLIMITED DEFAULT PRIVATE_SGA KERNEL UNLIMITED DEFAULT Failed_LOGIN_ATTEMPTS PASSWORD 10 DEFAULT PASSWORD_LIFE_TIME PASSWORD 180 DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION_11G DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 DEFAULT PASSWORD_GRACE_TIME PASSWORD 7 16 rows selected. SYS@lhrdb> create user lhrpwd identified by lhr; create user lhrpwd identified by lhr * ERROR at line 1: ORA-28003: password verification for the specified password Failed ORA-20001: Password length less than 8 SYS@lhrdb> SYS@lhrdb>alter profile default limit PASSWORD_VERIFY_FUNCTION null;<<<<<<<<<------取消复杂性验证 Profile altered. SYS@lhrdb> create user lhrpwd identified by lhr; User created. SYS@lhrdb>alter profile default limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION_11G;<<<<<<<------启用密码复杂性验证 Profile altered. SYS@lhrdb> |
1.3.9resource_limit
官方文档资料:
To create a profile,you must have the CREATE PROFILE system privilege.
To specify resource limits for a user,you must:
?Enable resource limits dynamically with the ALTER SYstem statement or with the initialization parameter RESOURCE_LIMIT.This parameter does not apply to password resources. Password resources are always enabled.
?Create a profile that defines the limits using the CREATE PROFILE statement
?Assign the profile to the user using the CREATE USER or ALTER USER statement
1)用户所有拥有的PROFILE中有关密码的限制永远生效,不受限制。 2)用户所有拥有的PROFILE中有关资源的限制与resource_limit参数的设置有关,当为TRUE时生效,当为FALSE时(默认值是FALSE)无效。
