Today to customers to patrol, customer proposed in order to improve the security of the database, need to modify the Sys/system password, and through the database authentication method to replace the default operating system mode, I now to the two verification methods summed up.
Operating system authentication, that is, access to the database through the privileges of the operating system account, for example, if you already have the permissions of the system administrator administrator under Windows, then when this method is verified, you can access it without entering the user/password, for example: Sqlplus/as SYSDBA, even if the user name and password arbitrary input, it does not matter, for example: Sqlplus ABC/EFG as SYSDBA;
C:\Documents and Settings\administrator>sqlplus/as Sysdba
Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:02:25 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options
Sql> exit
From Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options Disconnect
C:\Documents and Settings\administrator>sqlplus ABC/EFG as Sysdba
Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:02:33 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options
Sql>
Of course, thisSYS user only, for other users, even the system, is user name and password must be enteredTo access the database's
C:\Documents and Settings\administrator>Sqlplus system/123456
Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:05:07 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01017: Invalid username/password; Login is denied
Please enter user name:
In my environment,both the default SYS and the system user's password are "Oracle", the password of the database sys user is stored in thePwd<sid>.oraIn the Unix/linux (in theorapw<sid>), to know if the SYS user has a password, can be queried by the following statement:
Sql> SELECT * from V$pwfile _users;
USERNAME Sysdb SYSOP
------------------------------ ----- -----
SYS True True
Obviously, security is still a hidden danger to access the database by operating system authentication, usually in large companies, SA and DBA are decentralized management, if the database because of the use of operating system authentication method, so that SA can freely access the database that is not appropriate. Based on this scenario, we can use database authentication to restrict SYS users from having to enter the correct user name and password to access the database. This way, when the SA does not have the DBA's sys password, it cannot access the database.
In Windows, it is throughSqlnet.oraThis file is controlled by the validation mechanism, and when you finish loading the database and create a listener with NETCA, the file is generated, usually by default:
#This file was actually generated by NETCA. But if customers choose to
#Install "Software only", this file won ' t existAnd without the native
# Authentication, they'll is not being able to connect to the database on NT.
Sqlnet. Authentication_services = (NTS)
That is, the default is operating system authentication, and perhaps Oracle believes that with SA permissions, it has the highest system permissions, so the database DBA SYS user no longer need to verify the password
If set to (NONE), it means that the use of database authentication, but also can be set to (none,nts), in fact, this does not make sense, as long as there is NTS in parentheses, will use the operating system authentication , none is useless
To point out here, some articles say can also be set to (all), but I design the test down, if set to (all), will prompt error:
C:\Documents and Settings\administrator>sqlplus/as Sysdba
Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:26:06 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-12641: Validation Service failed to initialize
Please enter user name:
For example, the following paragraph describes:
Use the parameter sqlnet. Authentication_services to enable one or more authentication SERVICES.
If authentication have been Installed,it is recommended so this parameter being set to either none or to one of the Authenti cation methods.
NONE for no authentication methods. A valid username and password can be used to access the database.
All authentication Methods
NTS for Windows NT native authentication (a authentication method that enables
A client single login access to a WindowsNT SErver and a database running on the server)
Although there are all here, but I personally tested it, I do not, and perhaps the version, my version is 10.2.0.1 Windows 32bit
--Change to (NONE) after landing
C:\Documents and Settings\administrator>Sqlplus/as sysdba
Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:50:49 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01031: Insufficient Permissions
Please enter user name: SYS as SYSDBA
Enter Password: --Enter the correct password "Oracle" here
Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options
Sql>
--Disconnect, change (NONE) to (NTS) direct connection
Sql>Disc
From Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options Disconnect
Sql>Conn abc/123 as Sysdba
ERROR:
ORA-01031: Insufficient Permissions
Because there is no exit sqlplus, just changed (NTS) has not yet come into effect, visibleThe Sqlnet.ora file is read only when it enters Sqlplus.
--still Remain (NTS), log back in after Sqlplus
Sql> exit
C:\Documents and Settings\administrator>Sqlplus/as sysdba
Sql*plus:release 10.2.0.1.0-production on Thu August 28 21:54:52 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connect to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-production
With the partitioning, OLAP and Data Mining options
Sql>
Now it's operating system verification.
Note that ifwhen Rman is used, the system user cannot manipulate the, enter the correct password is not, only the SYS user and enter the password can be tested as follows:
--When set to (NTS), log in to Rman
C:\Documents and Settings\administrator>rman Target/
Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:02:07 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connect to target database: orcl10g (dbid=1041171248)
Rman> exit
Recovery manager completed.
C:\Documents and Settings\administrator>rman Target system/oracle
Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:02:33 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connect to target database: orcl10g (dbid=1041171248)
Rman> exit
Recovery manager completed.
--Change to (NONE), then login with the password once Rman
C:\Documents and Settings\administrator>rman Target system/oracle--note that the password here is correct
Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:03:06 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE, STACK follows ===============
RMAN-00571: ===========================================================
RMAN-00554: Internal Recovery Manager Package initialization failed
RMAN-04005: An error exists in the target database:
ORA-01031: Insufficient Permissions
C:\Documents and Settings\administrator>Rman Target/
Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:08:47 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE, STACK follows ===============
RMAN-00571: ===========================================================
RMAN-00554: Internal Recovery Manager Package initialization failed
RMAN-04005: An error exists in the target database:
ORA-01031: Insufficient Permissions
C:\Documents and Settings\administrator>rman Target sys/oracle
Recovery manager: Release 10.2.0.1.0-production on Thursday August 28 22:03:16 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connect to target database: orcl10g (dbid=1041171248)
Rman>
It is clear that inafter database authentication, the system user is prohibited from using Rman., only those with the highest database permissionsSYS userTo login to Rman, andmust be entered in the form of a password
Summarize:
Under Windows, Sqlnet. Authentication_servicesmust be set to NTS to use OS authentication, not set (for example,Add the line statement to the # comment symbolor set to any other value cannot use OS authentication.
The main cases are as follows:
1. The Sqlnet.ora file is empty or commented out with # --Based on Oracle password file validation
2. Sqlnet. Authentication_services = (NTS)--based on OS validation
3. Sqlnet. Authentication_services = (NONE)--based on Oracle password file validation
4. Sqlnet. Authentication_services = (none,nts)--based on OS verification (and the reverse order is the same .)
Attention:by default, the Sqlnet.ora file under Unix/linux is not a sqlnet.authentication_services parameter., it doesn't seem to even sqlnet.ora this file, which is a lot different from windows.
This isoperating system validation and Oracle password verification coexist, if you add sqlnet.authentication_services this parameter, either set to (NONE), (NTS), or (none,nts), are based on Oracle password authentication.
About Sqlnet. Description of the Authentication_services verification method
