Oracle Local authentication and password files

The role of Oracle's password file is to authenticate DBA authority. When the database is opened to the Mount state, the database must have a very important password file/password file, which is stored by default in the $oracle_home/dbs, the default name is called ORAPW. If the password file is missing, then the database starts to mount with an error. The password file contains the user name and password of the Sysdba/sysoper User:

file Internal6a75b1bbe50e66ab4de42795e66117ae

Before the database is started, the built-in user of the database cannot authenticate with the database itself, and with the password file, Oracle can authenticate the user, log in before the database is started, and start the database. Password files can be rebuilt with the Orapwd tool, so it is not necessary to include a password file in the usual backup strategy.  oracle has two authentication methods: Operating system authentication (requiring the user to belong to the local DBA group, and then logging on to Oracle via the operating system authentication to start the database), password file authentication The authentication method used by Oracle is determined by two parameters: (1) Remote_ Login_passwordfile=none|exclusive|sharednone: Do not use password file authentication. If you select this value, it is equivalent to masking the contents of the password file. Exclusive: To password file authentication, own exclusive use (default) shared: To password file authentication, different instances of DBA users can share password files   (2) located in $oracle_home/network/admin/ Sqlnet.orasqlnet.authentication_services=none|all|ntsnone: Shut down the operating system authentication, only password Authentication all: For Linux/unix platform, turn off the native password file authentication, Operating system certified NTS: For Windows platforms   Labs: The Oracle server is located on the Linux operating system and the client is located on the Windows operating system. First, look at the Remote_login_passwordfile parameter values:

SYS@orcl-SEP->Show Parameter Remote_login_ Passwordfile NAME                                TYPE        VALUE-------------------------------------------------------- ---------------------remote_login_passwordfile            string      EXCLUSIVE

Locate the Sqlnet.ora in the $oracle_home/network/admin directory and add the following at the end of the file:

Sqlnet. Authentication_services=Use-or#        for on  your system.# #Supported since:  11.0#SQLNET. Authentication_services=None

Even with the password file authentication method, if we use Sqlplus "/as sysdba" locally, we will prompt the error message:

[[email protected] ~]$ sqlplus "/ assysdba "SQL*Plus:release11.2.0.1.0Production onFri Sep A  A: $: About  theCopyright (c)1982, the, Oracle. Allrights reserved. Error:ora-01031: InsufficientPrivileges

At this point we must use the SYS user name and password to log in:

[[email protected] ~]$ sqlplus "Sys/Sys assysdba "SQL*Plus:release11.2.0.1.0Production onFri Sep A  A: -: ,  theCopyright (c)1982, the, Oracle. Allrights reserved. Connected to: OracleDatabase11g Enterprise Edition Release11.2.0.1.0 -Production withThe partitioning, OLAP, Data Mining and RealApplication Testing Options

Enter Sqlnet.ora to change Sqlnet.authentication_services=none to "=all", Save the exit.

Use Sqlplus "/as sysdba" to log in again using local authentication:

[[email protected] ~]$ sqlplus "/ assysdba "SQL*Plus:release11.2.0.1.0Production onFri Sep A  A: the:Wuyi  theCopyright (c)1982, the, Oracle. Allrights reserved. Connected to: OracleDatabase11g Enterprise Edition Release11.2.0.1.0 -Production withThe partitioning, OLAP, Data Mining and RealApplication Testing Options

In addition, we can use the Orapwd tool to generate password files.

First look at the usage of orapwd:

[[email protected] ~]$ orapwdusage:orapwdfile=Entries=Force=IgnoreCase=Nosysdba=    where    file -Name ofPasswordfile(required), password-Password forSYS would be promptedif  notspecified at command line, entries-Maximum Number  of distinctDBA (optional), force-Whether toOverwrite existingfile(optional), ignorecase-Passwords is Case-insensitive (optional), NOSYSDBA-Whether toShut out the SYSDBA logon (optionalDatabaseVault only). There must be no spaces around the equal- to(=)character.

We move the original ORAPWORCL in the $oracle_home/dbs directory to a different directory. Note that remote_login_passwordfile=exclusive, and Sqlnet.ora in the Sqlnet.authentication_services=none client on Windows attempt remote Oracle:

SQL> conn sys/sys@win as sysdbaerror:ora-01031 Privileges

Now we use ORAPWD to reconstruct the password file:

[[email protected] DBS] file =$ORACLE _home/dbs/orapworcl password=sys entries=5[  [email protected] DBS]$ lshc_dbua0.dat  initorcl      lkorcl        peshm_ Dummy_0  spfileorcl.orahc_orcl.dat  initorcl.ora  orapworcl      peshm_orcl_0init.ora      lkdummy      peshm_dbua0_0  snapcf_orcl.f

Try remote connection to Oracle again:

SQL> conn sys/sys@win as sysdba
Connected.

Look at the contents of this password file:

[[email protected] DBS] $ strings ORAPWORCL ORACLE Remote Password fileinternal6a75b1bbe50e66ab4de42795e66117ae

Create a new user in the database and grant permissions to SYSDBA:

SYS@orcl  One-SEP- ->Create UserSunny identified bySunny;Usercreated. SYS@orcl  One-SEP- ->GrantSysdba toSunny;GrantSucceeded.

Again to see the content of ORAPWORCL, found more sunny this user's information:

[[email protected] DBS]  fileinternal6a75b1bbe50e66ab4de42795e66117aesunny53801465943a91be

You can also see which users have SYSDBA permissions through the dynamic performance View V$pwfile_users:

SYS@orcl-SEP->Select*from  v$pwfile_users; USERNAME                        sysdb SYSOP sysas------------------------------  --------------- SYS                             True  true  Falsesunny                           true  false false

Oracle Local authentication and password files