OracleOS authentication password file and password loss

After Oracle is installed, OS authentication is enabled by default. The OS authentication mentioned here refers to the server-side OS authentication. OS authentication means to verify the login database user and password

After Oracle is installed, OS authentication is enabled by default. The OS authentication mentioned here refers to the server-side OS authentication. OS authentication means to verify the login database user and password

I. OS Authentication

1.1 Introduction to OS Authentication

After Oracle is installed, OS authentication is enabled by default. The OS authentication mentioned here refers to the server-side OS authentication. OS authentication means that the user and password for database login are verified at the operating system level. If you log on to the OS when installing Oracle, no authentication is required when you log on to the Oracle database, for example:

SQL> connect/as sysdba

Connected.

SQL> connect sys/aaa @ test as sysdba

Connected.

SQL> connect sys/bbb as sysdba

Connected.

SQL> connect aaa/bbb as sysdba

Connected.

SQL> show user

SYS

SQL>

No matter which user you enter (even if this user, such as aaa, does not exist in the Database), you can connect to the database as long as you connect to the database with the sysdba permission and the user is sys, which is very convenient, sometimes, if you forget the Database Password and want to log on to the database, you can use this method on the database server.

1.2 OS Authentication-related parameters

Oracle Database performs OS authentication using the following three parameters:

(1) sqlnet. AUTHENTICATION_SERVICES parameter in SQLNET. ora.

(2) The REMOTE_LOGIN_PASSWORDFILE parameter in the PFILE (or SPFILE) File

(3) password file PWDsid. ora (windows) or orapwSID (linux, case sensitive ).

1.2.1 sqlnet. ora file Parameters

File Location: $ ORACLE_HOME/network/admin/sqlnet. ora

SQLNET. AUTHENTICATION_SERVICES = (CNT)

NAMES. DIRECTORY_PATH = (TNSNAMES, EZCONNECT)

Parameters can have the following values:

SQLNET. AUTHENTICATION_SERVICES = (CNT) | (NONE)

Where:

(ETS): indicates the operating system authentication method. password files are not used. The default value is.

(NONE): Password File authentication method

1.2.2 REMOTE_LOGIN_PASSWORDFILE Parameter

This parameter can have the following values:

REMOTE_LOGIN_PASSWORDFILE = 'none' | 'clusive '| 'shared'

(1) NONE: Do not use the password file to log on, remote users are not allowed to log on to the system using sys, and sys passwords can be modified online;

(2) EXCLUSIVE: default value. Only one database can use this password file, allow remote login, allow non-sys users to manage the database as sysdba, and change the sys password online. In this mode, the password file can contain passwords for multiple licensed Oracle accounts. This is the recommended operation mode, especially when running RMAN. If you want to connect RMAN to a database from a remote client, you must use this parameter.

(3) SHARE: password files can be used for multiple databases. In fact, when the Oracle database is started, the first query is orapw. If the password file does not exist, start searching. If the password file of orapw is named orapw, you can share multiple databases, allow remote logon, use sys for sysdba management, and change the sys password online. In this setting, only the INTERNAL/SYS account can be identified. Even if the file contains information of other users, they are not allowed to log on with SYSOPER/SYSDBA.

Modify:

SQL> ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE SCOPE = SPFILE;

Note that this parameter is not a dynamic parameter. You need to modify the modification when the database is loaded to the MOUNT state, and restart the database after the change, so that the parameter settings can take effect.

1.3 disable OS Authentication

OS authentication has certain security risks. We can block OS authentication.

1.3.1 in windows

In win, you only need to set oracle_home/NETWORK/admin/sqlnet. SQLNET. AUTHENTICATION_SERVICES = (CNT) the system can block the OS function by changing the content of the CNT to none or comment out this sentence (add # In Front, to connect a sys user to a database, you must enter the correct sys password, or delete the oracle installer from the ora_dba group. Of course, you can also delete the ora_dba group directly, can block the OS function.

For example:

SQL> connect/as sysdba

ERROR:

ORA-01031: insufficient Permissions

SQL> connect sys/aaa as sysdba

ERROR:

ORA-01017: invalid username/password; login denied

SQL> connect aaa/bbb as sysdba

ERROR:

ORA-01031: insufficient Permissions

SQL> connect sys/system as sysdba

Connected.

SQL>

1.3.2 LINUX/UNIX

Adding sqlnet. AUTHENTICATION_SERVICES = (none) to the file SQLNET. ora and deleting dba (groupdel dba) groups or removing oracle users from the dba group can shield OS authentication.

Note:

With this blocking method, the system administrator can still create an ora_dba or dba group and modify the sqlnet. ora file.