yangyiqian
- 浏览: 114330 次
- 来自: ...
-
文章分类
最新评论
-
x影千绝:
...
JDBC addbatch批量处理数据时有最大值限制 -
hunnuxiaobo:
为什么呢?
JDBC addbatch批量处理数据时有最大值限制 -
天涯海角tour:
是啊? 我在7.1下就装不上jbpm4.4,按你这着方法
MyEclipse7.1插件安装 -
t8500071:
原来exec后是子进程,怪不得我怎么看都不像是一个完全独立的进 ...
Java的多进程运行模式分析 -
海阔天空love:
很实用 。。。能给个例子吗?
现有的Web打印控制技术分成几种方案
永久链接: http://www.oracleblog.cn/working-case/oracle-of-competence-login-problems-sysdba/
最近的时间,在搞数据库的安全加固问题,关于数据库中关于sysdba权限的登录,通过最近的一些实践和测试,在这里记录一下:
数据库用sysdba登录的验证有两种方式,一种是通过os认证,一种是通过密码文件验证;登录方式有两种,一种是在数据库主机直接登录(用os认证的方式),一种是通过网络远程登录;需要设置的参数有两个,一个是SQLNET.AUTHENTICATION_SERVICES,一个是 REMOTE_LOGIN_PASSWORDFILE。
os认证:如果启用了os认证,以sysdba登录,那么我们只要用oracle软件的安装用户就能登录:sqlplus “/ as sysdba”。如果我们要禁用os认证,只利用密码文件登录,我们首先要有一个密码文件:
D:\oracle\ora92\database>orapwd file=PWDoralocal.ora password=mypassword entries=10;
D:\oracle\ora92\database>
然后我们要把$ORACLE_HOME/network/admin/sqlnet.ora中设置:
SQLNET.AUTHENTICATION_SERVICES= none
注意一下,密码文件只在数据库启动的时候加载进去,一旦加载进去,密码文件就脱离了oracle管理,所以我们用orapwd新建密码文件后,里面指定的密码要在数据重启后才能生效:
D:\oracle\ora92\database>sqlplus "sys/mypassword as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 21:59:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
### 这里我们通过改SQLNET.AUTHENTICATION_SERVICES= (NTS)用os认证登录数据库:
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> startup
ORACLE instance started.
Total System Global Area 135338868 bytes
Fixed Size 453492 bytes
Variable Size 109051904 bytes
Database Buffers 25165824 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>
### 我们把SQLNET.AUTHENTICATION_SERVICES= (NTS)改回去。
D:\oracle\ora92\database>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:03:59 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>sqlplus "sys/mypassword as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:04:07 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> exit
在这里,我们看到这个新改的密码要数据库重启后加载才生效。同时我们看到,用os认证是无法登录的,但是通过网络(用@sid)是可以登录。
D:\oracle\ora92\database>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:58:32 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:\oracle\ora92\database>
D:\oracle\ora92\database>sqlplus "sys/mypassword as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:15 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:\oracle\ora92\database>sqlplus "sys/mypassword@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:38 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
至此,我们已经实现不用os认证(sqlplus “/ as sysdba”的方式登录不了)。那么我们怎么限制网络方面利用sysdba远程登录呢?我们可以设置初始化文件中的REMOTE_LOGIN_PASSWORDFILE=none。
注意,当REMOTE_LOGIN_PASSWORDFILE=none时,这个参数生效需要重启数据库,并且,一旦启用这个参数,将使用操作系统认证,不使用口令文件。因此如果REMOTE_LOGIN_PASSWORDFILE=none且 SQLNET.AUTHENTICATION_SERVICES= none这个时候数据库是无法登录的。
D:\oracle\ora92\database>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 01:28:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> show parameter remote_login
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
sys@ORALOCAL(192.168.50.29)> alter system set remote_login_passwordfile=none scope=spfile;
System altered.
Elapsed: 00:00:00.01
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)> startup
ORA-01031: insufficient privileges
sys@ORALOCAL(192.168.50.29)>exit
C:\Documents and Settings\Administrator>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:43 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:53 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:27:03 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>
这里我们看到由于启用了REMOTE_LOGIN_PASSWORDFILE=none,使用os认证,不用密码文件认证,必须将 SQLNET.AUTHENTICATION_SERVICES= none取消,不然是无法登录。我们改成SQLNET.AUTHENTICATION_SERVICES= (NTS)后再次测试。
### 非oracle软件安装软件用户:###
C:\Documents and Settings\hejianmin>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\hejianmin>
C:\Documents and Settings\hejianmin>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:30 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\hejianmin>
C:\Documents and Settings\hejianmin>sqlplus "sys/change_on_install@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\hejianmin>
### oracle 软件安装用户 ####
C:\Documents and Settings\Administrator>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中断开
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:33 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中断开
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:45 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中断开
C:\Documents and Settings\Administrator>sqlplus "11/22 as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)>
在这里我们看到由于用了os认证,在oracle安装用户下,无论用什么方式都能登录。非oracle用户无论用什么用户都无法登录。
如果REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none时:
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:30:57 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:31:04 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>
总结:
(1)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”无法登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”无法登录
(2)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”能登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”能登录
(3)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安装用户本地sqlplus “/ as sysdba”能登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”无法登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”无法登录
(4)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安装用户本地sqlplus “/ as sysdba”能登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”能登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”能登录
最近的时间,在搞数据库的安全加固问题,关于数据库中关于sysdba权限的登录,通过最近的一些实践和测试,在这里记录一下:
数据库用sysdba登录的验证有两种方式,一种是通过os认证,一种是通过密码文件验证;登录方式有两种,一种是在数据库主机直接登录(用os认证的方式),一种是通过网络远程登录;需要设置的参数有两个,一个是SQLNET.AUTHENTICATION_SERVICES,一个是 REMOTE_LOGIN_PASSWORDFILE。
os认证:如果启用了os认证,以sysdba登录,那么我们只要用oracle软件的安装用户就能登录:sqlplus “/ as sysdba”。如果我们要禁用os认证,只利用密码文件登录,我们首先要有一个密码文件:
D:\oracle\ora92\database>orapwd file=PWDoralocal.ora password=mypassword entries=10;
D:\oracle\ora92\database>
然后我们要把$ORACLE_HOME/network/admin/sqlnet.ora中设置:
SQLNET.AUTHENTICATION_SERVICES= none
注意一下,密码文件只在数据库启动的时候加载进去,一旦加载进去,密码文件就脱离了oracle管理,所以我们用orapwd新建密码文件后,里面指定的密码要在数据重启后才能生效:
D:\oracle\ora92\database>sqlplus "sys/mypassword as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 21:59:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
### 这里我们通过改SQLNET.AUTHENTICATION_SERVICES= (NTS)用os认证登录数据库:
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> startup
ORACLE instance started.
Total System Global Area 135338868 bytes
Fixed Size 453492 bytes
Variable Size 109051904 bytes
Database Buffers 25165824 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>
### 我们把SQLNET.AUTHENTICATION_SERVICES= (NTS)改回去。
D:\oracle\ora92\database>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:03:59 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>sqlplus "sys/mypassword as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:04:07 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> exit
在这里,我们看到这个新改的密码要数据库重启后加载才生效。同时我们看到,用os认证是无法登录的,但是通过网络(用@sid)是可以登录。
D:\oracle\ora92\database>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:58:32 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:\oracle\ora92\database>
D:\oracle\ora92\database>sqlplus "sys/mypassword as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:15 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:\oracle\ora92\database>sqlplus "sys/mypassword@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:38 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
至此,我们已经实现不用os认证(sqlplus “/ as sysdba”的方式登录不了)。那么我们怎么限制网络方面利用sysdba远程登录呢?我们可以设置初始化文件中的REMOTE_LOGIN_PASSWORDFILE=none。
注意,当REMOTE_LOGIN_PASSWORDFILE=none时,这个参数生效需要重启数据库,并且,一旦启用这个参数,将使用操作系统认证,不使用口令文件。因此如果REMOTE_LOGIN_PASSWORDFILE=none且 SQLNET.AUTHENTICATION_SERVICES= none这个时候数据库是无法登录的。
D:\oracle\ora92\database>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 01:28:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> show parameter remote_login
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
sys@ORALOCAL(192.168.50.29)> alter system set remote_login_passwordfile=none scope=spfile;
System altered.
Elapsed: 00:00:00.01
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)> startup
ORA-01031: insufficient privileges
sys@ORALOCAL(192.168.50.29)>exit
C:\Documents and Settings\Administrator>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:43 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:53 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:27:03 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>
这里我们看到由于启用了REMOTE_LOGIN_PASSWORDFILE=none,使用os认证,不用密码文件认证,必须将 SQLNET.AUTHENTICATION_SERVICES= none取消,不然是无法登录。我们改成SQLNET.AUTHENTICATION_SERVICES= (NTS)后再次测试。
### 非oracle软件安装软件用户:###
C:\Documents and Settings\hejianmin>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\hejianmin>
C:\Documents and Settings\hejianmin>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:30 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\hejianmin>
C:\Documents and Settings\hejianmin>sqlplus "sys/change_on_install@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\hejianmin>
### oracle 软件安装用户 ####
C:\Documents and Settings\Administrator>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中断开
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:33 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中断开
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install@oralocal as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:45 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中断开
C:\Documents and Settings\Administrator>sqlplus "11/22 as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)>
在这里我们看到由于用了os认证,在oracle安装用户下,无论用什么方式都能登录。非oracle用户无论用什么用户都无法登录。
如果REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none时:
C:\Documents and Settings\Administrator>sqlplus "sys/change_on_install as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:30:57 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:31:04 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>
总结:
(1)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”无法登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”无法登录
(2)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”能登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”能登录
(3)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安装用户本地sqlplus “/ as sysdba”能登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”无法登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”无法登录
(4)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安装用户本地sqlplus “/ as sysdba”能登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”能登录
非oracle安装用户远程sqlplus “/ as sysdba_on_install@sid as sysdba”能登录
分享到:
发表评论
-
转:oracle按拼音排序
2011-01-21 11:12 1724http://tjbmx0987.iteye.com/blog ... -
ORACLE安装过程要点记录
2009-11-17 20:40 8781.oracle 的dba帐号权限,默认是为本机访问,对远程用 ... -
could not open parameter file initOrcl.ora
2009-11-17 15:33 3129could not open parameter file i ... -
Oracle安装中的DHCP问题
2009-11-17 11:25 3590关键字: oracle Oracle安装中的DHCP问题 h ... -
判断所要删除的表是否存在的PL/SQL脚本
2008-03-16 01:22 4509我们在ORACLE数据库中创建表的时候,对于已经存在的表,我们 ...
相关推荐
【sys】 所有oracle的数据字典的基表和视图都存放在sys用户中,这些基表和视图对于oracle的运行是至关重要的,由数据库自己维护,任何用户都...sys用户拥有dba,sysdba,sysoper等角色或权限,是oracle权限最高的用户。
1查看所有用户 2查看用户或角色系统权限(直接赋值给用户或角色的系统权限) 3查看角色(只能查看...查看哪些用户有sysdba或sysoper系统权限(查询时需要相应权限) 8 查看oracle提供的系统权限9 查看一个用户的所有系统权限
主要介绍了解决windows10下"sqlplus / as sysdba"执行提示无权限问题,在文中给大家介绍了Windows下sqlplus “/as sysdba”登陆报“ORA-01031: insufficient privileges”处理方法,感兴趣的朋友跟随脚本之家小编...
要启动和关闭数据库,必须要以具有Oracle 管理员权限的用户登陆,通常也就是以具有SYSDBA权限的用户登陆。一般我们常用INTERNAL用户来启动和关闭数据库(INTERNAL用户实际上 是SYS用户以SYSDBA连接的同义词)。...
权限: create session create table unlimited tablespace connect resource dba 例: #sqlplus /nolog SQL> conn / as sysdba; SQL>create user username identified by password ...
查看oracle数据库的连接数以及用户 1、查询oracle的连接数 2、查询oracle的并发连接数 ... 10、查看哪些用户有sysdba或sysoper系统权限(查询时需要相应权限) 查看数据库锁定进程 杀掉锁定进程
在oracle服务器,可以直接通过操作系统权限认证,使用sysdba方式登陆,前提是你可以登入服务器,并且拥有此权限。 oracle@e871d42341c0:~$ id uid=1000(oracle) gid=1000(dba) groups=1000(dba) oracle@e87
每个 Oracle数据库对应唯一的一个实例名SID,Oracle数据库服务器启动后,一般至少有以下几个用户:Internal,它不是一个真实的用户名,而是具有SYSDBA优先级的Sys用户的别名,它由DBA用户使用来完成数据库的管理任务...
解决PL-sql里面system只能以sysdba身份登录,不能以normal身份登录
Statspack是一款功能强大的,免费的,oracle自带的性能分析工具。需要用具有sysdba权限的用户登陆进行安装。
【 system 】用户只能用 normal 身份登陆 em ,除非你对它授予了 sysdba 的系统权限(grant sysdba to system)或者 sysoper 系统权限。 【 sys 】用户具有 “SYSDBA” 或者 “SYSOPER” 系统权限,登陆 em 也只能用...
每个 Oracle数据库对应唯一的一个实例名SID,Oracle数据库服务器启动后,一般至少有以下几个用户:Internal,它不是一个真实的用户名,而是具有SYSDBA优先级的Sys用户的别名,它由DBA用户使用来完成数据库的管理任务...
1)sys用户是超级用户,具有最高权限,具有sysdba角色,有create database的权限,该用户默认的密码是sys。登录语句:SQL> conn sys/sys as sysdba; 2)system用户是管理操作员,权限也很大。具有sysoper角色,没有...
要启动和关闭数据库,必须要以具有Oracle 管理员权限的用户登陆,通常也就是以具有SYSDBA权限的用户登陆。
在开始学 Oracle 的时候有件事一直让我感觉很奇怪,就是为什么在数据没有起来的时候只要登录到安装Oracle 的操作系统中直接用sqlplus / as sysdba 就能登陆到数据库中然后对数据库进行启动停止之类的操作。...
(其他用户以此类推) 解决方法: 以dba用户登录 [sql] 代码如下: sqlplus / as sysdba 赋予scott用户创建VIEW的权限 [sql] 代码如下: grant create view to scott 以scott用户登录oracle [sql] 代码如下: conn ...
给一个用户赋权限(connect登陆,dba管理员,resource建表)使用命令grant,回收权限使用命令revoke. 为了给讲清楚用户管理,给大家举一个案例。 案例: 新建一个用户lady 并给该用户赋可登陆可创建表 Sql>create ...
1)最重要的区别,存储的数据的重要性不同 【sys】 所有oracle的数据字典的基表和视图都存放在sys用户中,...【system】用户只能用normal身份登陆em,除非你对它授予了sysdba的系统权限或者syspoer系统权限。 【sys】用
为了以 SYSDBA 和 SYSOPER 身份进行访问而设置 iSQL*Plus 4-10 使用 SQL*Plus 4-12 从 Shell 脚本调用 SQL*Plus 4-13 从 SQL*Plus 调用 SQL 脚本 4-14 初始化参数文件 4-15 简化初始化参数 4-16 查看和修改...
(1)sys用户是超级用户,具有最高权限,具有sysdba角色,有create database的权限,该用户默认的密码是change_on_install (2)system用户是管理操作员,权限也很大。具有sysoper角色,没有create database的权限...