講解Oracle數據庫的sysdba權限登錄問題
數據庫用sysdba登錄的驗證有兩種方式,一種是通過os認證,一種是通過密碼文件驗證;登錄方式有兩種,一種是在數據庫主機直接登錄(用os認證的方式),一種是通過網絡遠程登錄;需要設置的參數有兩個,一個是SQLNET.AUTHENTICATION_SERVICES,一個是REMOTE_LOGIN_PASSWORDFILE。
os認證:假如啟用了os認證,以sysdba登錄,那么只需要使用oracle軟件的安裝用戶就能登錄:sqlplus “/ as sysdba”。如果我們要禁用os認證,只利用密碼文件登錄,我們首先要有一個密碼文件:
D:oracleora92database>orapwd file=PWDoralocal.ora password=mypassword entries=10;
D:oracleora92database>
然后我們要把$ORACLE_HOME/network/admin/sqlnet.ora中設置:
SQLNET.AUTHENTICATION_SERVICES= none
大家需要注意,密碼文件只在數據庫啟動的時候加載進去,一旦加載進去,密碼文件就脫離了oracle管理,所以在你使用orapwd新建密碼文件后,里面指定的密碼需要在數據重啟后才能發生作用:
D:oracleora92database>sqlplus 'sys/mypassword as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 21:59:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
### 這里我們通過改SQLNET.AUTHENTICATION_SERVICES= (NTS)用os認證登錄數據庫:
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> startup
ORACLE instance started.
Total System Global Area 135338868 bytes
Fixed Size 453492 bytes
Variable Size 109051904 bytes
Database Buffers 25165824 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:oracleora92database>
D:oracleora92database>
D:oracleora92database>
### 我們把SQLNET.AUTHENTICATION_SERVICES= (NTS)改回去。
D:oracleora92database>sqlplus '/ as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:03:59 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:oracleora92database>
D:oracleora92database>
D:oracleora92database>
D:oracleora92database>sqlplus 'sys/mypassword as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:04:07 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> exit
在這里,我們看到這個新改的密碼要數據庫重啟后加載才生效。同時我們看到,用os認證是無法登錄的,但是通過網絡(用@sid)是可以登錄。
D:oracleora92database>sqlplus '/ as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:58:32 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:oracleora92database>
D:oracleora92database>sqlplus 'sys/mypassword as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:15 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:oracleora92database>sqlplus 'sys/mypassword@oralocal as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:38 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
至此,我們已經實現不用os認證(sqlplus “/ as sysdba”的方式登錄不了)。那么我們怎么限制網絡方面利用sysdba遠程登錄呢?我們可以設置初始化文件中的REMOTE_LOGIN_PASSWORDFILE=none。
注意,當REMOTE_LOGIN_PASSWORDFILE=none時,這個參數生效需要重啟數據庫,并且,一旦啟用這個參數,將使用操作系統認證,不使用口令文件。因此如果REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none這個時候數據庫是無法登錄的。
[coolcode lang=”sql” linenum=”off”]
D:oracleora92database>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 01:28:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> show parameter remote_login
NAME TYPE VALUE
———————————— ———– ——————————
remote_login_passwordfile string EXCLUSIVE
sys@ORALOCAL(192.168.50.29)> alter system set remote_login_passwordfile=none scope=spfile;
System altered.
Elapsed: 00:00:00.01
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)> startup
ORA-01031: insufficient privileges
sys@ORALOCAL(192.168.50.29)>exit
C:Documents and SettingsAdministrator>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:43 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:53 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install@oralocal as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:27:03 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>
[coolcode]
這里我們看到由于啟用了REMOTE_LOGIN_PASSWORDFILE=none,使用os認證,不用密碼文件認證,必須將SQLNET.AUTHENTICATION_SERVICES= none取消,不然是無法登錄。我們改成SQLNET.AUTHENTICATION_SERVICES= (NTS)后再次測試。
[coolcode lang=”sql” linenum=”off”]
### 非oracle軟件安裝軟件用戶:###
C:Documents and Settingshejianmin>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and Settingshejianmin>
C:Documents and Settingshejianmin>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:30 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and Settingshejianmin>
C:Documents and Settingshejianmin>sqlplus “sys/change_on_install@oralocal as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and Settingshejianmin>
### oracle 軟件安裝用戶 ####
C:Documents and SettingsAdministrator>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
從Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中斷開
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:33 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
從Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中斷開
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install@oralocal as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:45 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
從Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中斷開
C:Documents and SettingsAdministrator>sqlplus “11/22 as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)>
[/coolcode]
在這里我們看到由于用了os認證,在oracle安裝用戶下,無論用什么方式都能登錄。非oracle用戶無論用什么用戶都無法登錄。
如果REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none時:
[coolcode lang=”sql” linenum=”off”]
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:30:57 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
C:Documents and SettingsAdministrator>
C:Documents and SettingsAdministrator>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:31:04 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>
C:Documents and SettingsAdministrator>
[/coolcode]
結論:
(1)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安裝用戶本地sqlplus “/ as sysdba”無法登錄
非oracle安裝用戶本機sqlplus “sys/change_on_install as sysdba”無法登錄
非oracle安裝用戶遠程sqlplus “/ as sysdba_on_install@sid as sysdba”無法登錄
(2)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安裝用戶本地sqlplus “/ as sysdba”無法登錄
非oracle安裝用戶本機sqlplus “sys/change_on_install as sysdba”能登錄
非oracle安裝用戶遠程sqlplus “/ as sysdba_on_install@sid as sysdba”能登錄
(3)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安裝用戶本地sqlplus “/ as sysdba”能登錄
非oracle安裝用戶本機sqlplus “sys/change_on_install as sysdba”無法登錄
非oracle安裝用戶遠程sqlplus “/ as sysdba_on_install@sid as sysdba”無法登錄
(4)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安裝用戶本地sqlplus “/ as sysdba”能登錄
非oracle安裝用戶本機sqlplus “sys/change_on_install as sysdba”能登錄
非oracle安裝用戶遠程sqlplus “/ as sysdba_on_install@sid as sysdba”能登錄
網公網安備