About Sqlnet. Description of the Authentication_services verification method

Today to customers to patrol, customer proposed in order to improve the security of the database, need to change sys/systempassword, and through the database to verify the way to replace the default operating system, and now I come to these two kinds of verification methods summed up.

Operating system authentication, that is, access to the database through the permissions of the operating system account, for example, assuming that you already have the permissions of the system administrator administrator under Windows, then if you use this method to authenticate, you do not need to enter the user/password can access to ask, For example: Sqlplus/as sysdba, even if username and password are freely entered. It doesn't matter, for example: Sqlplus ABC/EFG as SYSDBA;


C:\Documents and Settings\administrator>sqlplus/as Sysdba


Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:02:25 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.




Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options


Sql> exit
From Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options Disconnect


C:\Documents and Settings\administrator>sqlplus ABC/EFG as Sysdba


Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:02:33 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.




Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options


Sql>


Of course, thisSYS user only, for other users. Even the system, isYou must enter username and passwordAbility to access the database


C:\Documents and Settings\administrator>Sqlplus system/123456


Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:05:07 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


ERROR:
ora-01017:username/password is invalid; Login is denied




Please enter username:


In my environment.both the default SYS and the system user's password are "Oracle", the password of the database sys user is stored inPwd<sid>.oraIn the Unix/linux (in theorapw<sid>)。 Want to know if SYS user has password, can query by the following statement:
Sql> SELECT * from V$pwfile _users;


USERNAME Sysdb SYSOP
------------------------------ ----- -----
SYS True True


Obviously, security is still a hidden danger for access to the database using operating system authentication, usually in large companies, SA and DBA are decentralized management, it is not appropriate to assume that the database has access to the database because of the operating system authentication method. Based on this scenario. Then we can use database authentication method to restrict SYS users must enter the correct username and password talent enough to access the database. In this case, when SA does not have DBA Syspassword. You won't be able to access the database.


In Windows, it is throughSqlnet.oraThis file is implemented to implement the validation mechanism control. This file is generated when you have finished loading the database and created the listener with NETCA. Usually the default is the following:
#This file was actually generated by NETCA. But if customers choose to
#Install "Software only", this file won ' t existAnd without the native
# Authentication, they'll is not being able to connect to the database on NT.


Sqlnet. Authentication_services = (NTS)

That is, the default is to use the operating system to verify, and perhaps Oracle feels that it has SA permissions. has the highest system privileges, so the database DBA's SYS user no longer has to verify the password.

Assuming that it is set to (NONE), it indicates that database authentication is used. can also be set to (none,nts), in fact, this does not make sense, just to have NTS in parentheses. will be validated by the operating system . None is practical.

To point out here, some of the articles say that they can be set to (all), but I designed the test down, assuming that it is set to (all). will prompt for error:
C:\Documents and Settings\administrator>sqlplus/as Sysdba


Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:26:06 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


ERROR:
ORA-12641: Validation Service failed to initialize


Please enter username:


Such as. The following is a descriptive narrative:
Use the parameter sqlnet. Authentication_services to enable one or more authentication SERVICES.
If authentication have been Installed,it is recommended so this parameter being set to either none or to one of the Authenti cation methods.

NONE for no authentication methods. A valid username and password can be used to access the database.
All authentication Methods
NTS for Windows NT native authentication (a authentication method that enables
A client single login access to a WindowsNT SErver and a database running on the server)


Even though it says all about it. I just tested it myself. Not really, maybe with the version number, my version number is 10.2.0.1 windows 32bit


--Change to (NONE) after landing
C:\Documents and Settings\administrator>Sqlplus/as sysdba


Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:50:49 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


ERROR:
ORA-01031: Insufficient Permissions




Please enter Username:sys as SYSDBA
Enter Password: --Enter the correct password "Oracle" here


Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options

Sql>

--Disconnect, change (NONE) to (NTS) direct connection
Sql>Disc
From Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options Disconnect
Sql>Conn abc/123 as Sysdba
ERROR:
ORA-01031: Insufficient Permissions


Because there is no exit sqlplus. The change (NTS) has not yet come into effect. VisibleThe Sqlnet.ora file is read only when it enters Sqlplus.


--still remain (NTS). Log in again after exiting Sqlplus
Sql> exit


C:\Documents and Settings\administrator>Sqlplus/as sysdba


Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:54:52 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.




Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options


Sql>


Now it's operating system verification.


Note that the assumptionchange to (NONE) later when using Rman. System users will not be able to manipulate the, enter the correct password also not, just have the SYS user and input password talent enough. Tests such as the following:


--When set to (NTS), log in to Rman
C:\Documents and Settings\administrator>rman Target/


Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:02:07 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


Connect to target database: orcl10g (dbid=1041171248)


Rman> exit




Recovery Manager is complete.


C:\Documents and Settings\administrator>rman Target system/oracle


Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:02:33 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


Connect to target database: orcl10g (dbid=1041171248)


Rman> exit




Recovery Manager is complete.

--Change to (NONE), then use password to log in once Rman
C:\Documents and Settings\administrator>rman Target system/oracle--note. Password is right here.


Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:03:06 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE, STACK follows ===============
RMAN-00571: ===========================================================
RMAN-00554: Internal Recovery Manager Package initialization failed
RMAN-04005: An error exists in the target database:
ORA-01031: Insufficient Permissions


C:\Documents and Settings\administrator>Rman Target/


Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:08:47 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE, STACK follows ===============
RMAN-00571: ===========================================================
RMAN-00554: Internal Recovery Manager Package initialization failed
RMAN-04005: An error exists in the target database:
ORA-01031: Insufficient Permissions


C:\Documents and Settings\administrator>rman Target sys/oracle


Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:03:16 2014


Copyright (c) 1982, 2005, Oracle. All rights reserved.


Connect to target database: orcl10g (dbid=1041171248)


Rman>


Very clearly. Inafter the database is authenticated. The system user is prohibited from using Rman。 Only those with the highest permissions on the databaseSYS user, the talent landed on Rman, andmust be entered password the way to login


Summarize:


Under Windows. Sqlnet. Authentication_servicesmust be set to NTS talent using OS authentication, not set (for example,Add the line statement to the # gaze symbol) or set to other no value can use OS authentication.

The following are the main situations:
1. sqlnet.ora file is empty, or stare out with #--based on Oraclepassword file authentication
2. Sqlnet. Authentication_services = (NTS)--based on OS validation
3. Sqlnet. Authentication_services = (NONE)--based on Oraclepassword file validation
4. Sqlnet. Authentication_services = (none,nts)--based on OS verification ( same as reverse order )


Note: By default, the Sqlnet.ora file under Unix/linux has no sqlnet.authentication_services parameters , It doesn't seem to even sqlnet.ora this file, which is very different from windows.
This is both operating system validation and Oraclepassword validation . Assuming that the sqlnet.authentication_services is added, either set to (NONE), (NTS), or (none,nts), it is based on Oraclepassword validation.

About Sqlnet. Description of the Authentication_services verification method