Oracle uses password file validation and OS validation

first, after the Oracle installation is enabled by default OS authentication, the mentioned OS authentication refers to the server-side OS certification. OS authentication means that the user and password checksum of the login database is placed at the operating system level. If you log on to the OS as a user who is installing Oracle , then no validation is required when you log in to the Oracle database

1. using operating system validation

2 Prerequisites must be met at the same time

1) Build User ORA_DBA User group under OS,

You can then either create a new user or add the original user to the ORA_DBA group, and then use this user to log in with the local machine where the database is installed or use a secure remote connection, which can be logged in as a sysdba, without requiring a password at the database level.

2) Add the Sqlnet.ora file

Sqlnet. Authentication_services= (NTS)

sqlnet. Authentication_services Parameters

In Sqlnet.ora (located in the $oracle_home/network/admin directory) file, you need to modify the text editor to open the changes directly, for different operating systems Sqlnet.authentication_ The values for services are somewhat different, and we usually use some of the following settings:

• Sqlnet. Authentication_services = (All)

For Linux systems, OS authentication and password file authentication are supported.

For Windows systems, the actual experiment is not supported by this parameter, and validation fails.

• Sqlnet. Authentication_services = (NTS)

This setting value is only for Windows NT systems, which supports both OS authentication and password file authentication, and only Oracle running on Windows systems after setting the (NTS) value supports OS authentication.

• Sqlnet. Authentication_services = (NONE)

This setting value is the same for Windows and Linux, and specifies that Oracle uses only password file authentication.

• Do not set this parameter or sqlnet.authentication_services =

For Linux systems, OS authentication and password file authentication are supported by default.

For Windows systems, only password file authentication is supported by default, and OS authentication is not supported.

The following methods are logged in using OS authentication

Sqlplus "/As SYSDBA"

Sqlplus "Sys/sys as SYSDBA"

Sqlplus "Sys/sdf as SYSDBA"//sys password error

Sqlplus "Scott/sdf as SYSDBA"//scott password error

You can log in to the database with the above login methods. You can log on to the database (as SYSDBA) as long as you have passed the server-level authentication. Regardless of whether there is a login user name in the database or the right or wrong password is not verified.

At this point the show user is Sys

To have/as sysdba when landing. The OS authentication method is used. This is a security risk regardless of whether the SYS user or the password is correct.

2. turn off OS validation

1) Cancel the ORA_DBA group of the operating system user or remove the current logged-on user from the ORA_DBA group.

2) Sqlnet.ora file sqlnet.authentication_services= (NONE) Shutdown OS authentication mode

Catalogue e:\oracle\product\10.2.0\db_1\network\admin>

2 conditions to satisfy any one of them.

Second, the role ofOracle password file is to store all sysdba or sysoper permissions to connect the database user's password, if you want to SYSDBA permission to connect to the database remotely, you must use a password file, or you cannot connect to it.

due to < Span style= "FONT-FAMILY:CALIBRI;" >sys users must connect to the database with sysdba or sysoper , which means Span lang= "en-US" >sys the user must use a password file to connect to the database. The advantage of using a password file is that even if the database is not in open status, you can still connect to the database through password file validation. Started installation of oracle , not granted to ordinary users SYSDBA Permission, the password file only contains sys , if sysdba permissions are granted to ordinary users, then the password of the ordinary user is read from the database to the password file saved, Of course, you must ask the database to be in open status

1. Using password file authentication

If password file validation is not currently used. You can use the following method to turn on password file validation.

1. Create a password file

C:\>orapwd File=c:\oracle\ora92\database\pwdtest.ora password=admin entries=5

Password file name format

PWD + sid +. Ora

Must be named in this format. By default, theformat of the password file underWindows is Pwdsid.ora ( case insensitive)

2. Verify that the parameters are correct

Remote_login_passwordfile=exclusive

View the value of a static parameter Remote_login_passwordfile through a data dictionary V$parameter

Ex:select Name,value from v$parameter where name = 'remote_login_passwordfile';

If the value of Remote_login_passwordfile is not exclusive then you can modify the value in the initialization parameter file by alter system.

The remote_login_passwordfile value is stored in the initialization parameter file, which is spfile, not a dynamic parameter. Therefore, modifying the value of this parameter requires restarting the database reload SPFile to take effect.

Ex:sql> alter system set remote_login_passwordfile=exclusive Scope=spfile;

The meaning of each parameter value:

None: Do not use password file verification, if no password file authentication, no user in the ORA_DBA group, then no user can enter the database as SYSDBA. Oracle database does not allow remote sysdba/sysoper Identity Login

Exclusive: Indicates that the instance exclusively uses the password file, that is, the respective instance uses a separate password file

Shared represents multiple instances sharing a password file

Note:

Shared Description

When Remote_login_passwordfile=shared,

The Pwd+sid.ora file is still generated under the C:\oracle\ora92\database directory. Each DB instance uses its own SYS user and the corresponding password, but can no longer join the new user with SYSDBA permissions

If remote_login_passwordfile=exclusive and there are ORA_DBA groups in the OS. Then if the user is logged in as a ora_dba group. You can still use the OS validation

3. Restart the database, SYS is automatically added to the password file

At this time There are no users in the password file. Because it's just set up.

By querying select * from V$pwfile_users; Can know

If you are using Grant SYSDBA to SYS; Add sys to the password file. Will error. It has to be restarted, and the SYS is automatically added.

4. Write the system user to the password file

Grant sysdba to System;

After the authorization command succeeds.

SELECT * from V$pwfile_users;

You can see that system is already in the password file

Note: If you forget the sys password, there are 3 ways to do it.

1) Open the OS authentication method,/as SYSDBA connect in. Alter user sys identified by "NewPassword";

2) by deleting the password file. Then use the ORAPWD command to re-establish the password file to do. But you need to restart the database

3) If the OS authentication login is not enabled, you will need to rebuild the password file with Orapwd

Orapwd File=d:\oracle10g\database\pwdsid.ora Password=newpass

This command regenerates the password file for the database. The location of the password file is under the \database directory in the Oracle_home directory.

This password is the password that modifies the SYS user. The password for other users except SYS does not change. Restart Oracle to take effect after modification.