講解Oracle數(shù)據(jù)庫的sysdba權(quán)限登錄問題
數(shù)據(jù)庫用sysdba登錄的驗證有兩種方式,一種是通過os認(rèn)證,一種是通過密碼文件驗證;登錄方式有兩種,一種是在數(shù)據(jù)庫主機(jī)直接登錄(用os認(rèn)證的方式),一種是通過網(wǎng)絡(luò)遠(yuǎn)程登錄;需要設(shè)置的參數(shù)有兩個,一個是SQLNET.AUTHENTICATION_SERVICES,一個是REMOTE_LOGIN_PASSWORDFILE。
os認(rèn)證:假如啟用了os認(rèn)證,以sysdba登錄,那么只需要使用oracle軟件的安裝用戶就能登錄:sqlplus “/ as sysdba”。如果我們要禁用os認(rèn)證,只利用密碼文件登錄,我們首先要有一個密碼文件:
D:oracleora92database>orapwd file=PWDoralocal.ora password=mypassword entries=10;
D:oracleora92database>
然后我們要把$ORACLE_HOME/network/admin/sqlnet.ora中設(shè)置:
SQLNET.AUTHENTICATION_SERVICES= none
大家需要注意,密碼文件只在數(shù)據(jù)庫啟動的時候加載進(jìn)去,一旦加載進(jìn)去,密碼文件就脫離了oracle管理,所以在你使用orapwd新建密碼文件后,里面指定的密碼需要在數(shù)據(jù)重啟后才能發(fā)生作用:
D:oracleora92database>sqlplus 'sys/mypassword as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 21:59:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
### 這里我們通過改SQLNET.AUTHENTICATION_SERVICES= (NTS)用os認(rèn)證登錄數(shù)據(jù)庫:
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> startup
ORACLE instance started.
Total System Global Area 135338868 bytes
Fixed Size 453492 bytes
Variable Size 109051904 bytes
Database Buffers 25165824 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:oracleora92database>
D:oracleora92database>
D:oracleora92database>
### 我們把SQLNET.AUTHENTICATION_SERVICES= (NTS)改回去。
D:oracleora92database>sqlplus '/ as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:03:59 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:oracleora92database>
D:oracleora92database>
D:oracleora92database>
D:oracleora92database>sqlplus 'sys/mypassword as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Fri May 16 22:04:07 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> exit
在這里,我們看到這個新改的密碼要數(shù)據(jù)庫重啟后加載才生效。同時我們看到,用os認(rèn)證是無法登錄的,但是通過網(wǎng)絡(luò)(用@sid)是可以登錄。
D:oracleora92database>sqlplus '/ as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:58:32 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
D:oracleora92database>
D:oracleora92database>sqlplus 'sys/mypassword as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:15 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
D:oracleora92database>sqlplus 'sys/mypassword@oralocal as sysdba'
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 00:59:38 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)>
至此,我們已經(jīng)實現(xiàn)不用os認(rèn)證(sqlplus “/ as sysdba”的方式登錄不了)。那么我們怎么限制網(wǎng)絡(luò)方面利用sysdba遠(yuǎn)程登錄呢?我們可以設(shè)置初始化文件中的REMOTE_LOGIN_PASSWORDFILE=none。
注意,當(dāng)REMOTE_LOGIN_PASSWORDFILE=none時,這個參數(shù)生效需要重啟數(shù)據(jù)庫,并且,一旦啟用這個參數(shù),將使用操作系統(tǒng)認(rèn)證,不使用口令文件。因此如果REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none這個時候數(shù)據(jù)庫是無法登錄的。
[coolcode lang=”sql” linenum=”off”]
D:oracleora92database>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 01:28:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.50.29)> show parameter remote_login
NAME TYPE VALUE
———————————— ———– ——————————
remote_login_passwordfile string EXCLUSIVE
sys@ORALOCAL(192.168.50.29)> alter system set remote_login_passwordfile=none scope=spfile;
System altered.
Elapsed: 00:00:00.01
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)> startup
ORA-01031: insufficient privileges
sys@ORALOCAL(192.168.50.29)>exit
C:Documents and SettingsAdministrator>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:43 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:26:53 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install@oralocal as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 08:27:03 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>
[coolcode]
這里我們看到由于啟用了REMOTE_LOGIN_PASSWORDFILE=none,使用os認(rèn)證,不用密碼文件認(rèn)證,必須將SQLNET.AUTHENTICATION_SERVICES= none取消,不然是無法登錄。我們改成SQLNET.AUTHENTICATION_SERVICES= (NTS)后再次測試。
[coolcode lang=”sql” linenum=”off”]
### 非oracle軟件安裝軟件用戶:###
C:Documents and Settingshejianmin>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and Settingshejianmin>
C:Documents and Settingshejianmin>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:30 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and Settingshejianmin>
C:Documents and Settingshejianmin>sqlplus “sys/change_on_install@oralocal as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:15:42 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and Settingshejianmin>
### oracle 軟件安裝用戶 ####
C:Documents and SettingsAdministrator>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:13 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
從Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中斷開
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:33 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
從Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中斷開
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install@oralocal as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:45 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
從Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production中斷開
C:Documents and SettingsAdministrator>sqlplus “11/22 as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on 星期六 5月 17 20:19:58 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
連接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)>
[/coolcode]
在這里我們看到由于用了os認(rèn)證,在oracle安裝用戶下,無論用什么方式都能登錄。非oracle用戶無論用什么用戶都無法登錄。
如果REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none時:
[coolcode lang=”sql” linenum=”off”]
C:Documents and SettingsAdministrator>sqlplus “sys/change_on_install as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:30:57 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
sys@ORALOCAL(192.168.0.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
C:Documents and SettingsAdministrator>
C:Documents and SettingsAdministrator>sqlplus “/ as sysdba”
SQL*Plus: Release 9.2.0.1.0 - Production on Sat May 17 20:31:04 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
C:Documents and SettingsAdministrator>
C:Documents and SettingsAdministrator>
[/coolcode]
結(jié)論:
(1)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安裝用戶本地sqlplus “/ as sysdba”無法登錄
非oracle安裝用戶本機(jī)sqlplus “sys/change_on_install as sysdba”無法登錄
非oracle安裝用戶遠(yuǎn)程sqlplus “/ as sysdba_on_install@sid as sysdba”無法登錄
(2)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安裝用戶本地sqlplus “/ as sysdba”無法登錄
非oracle安裝用戶本機(jī)sqlplus “sys/change_on_install as sysdba”能登錄
非oracle安裝用戶遠(yuǎn)程sqlplus “/ as sysdba_on_install@sid as sysdba”能登錄
(3)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安裝用戶本地sqlplus “/ as sysdba”能登錄
非oracle安裝用戶本機(jī)sqlplus “sys/change_on_install as sysdba”無法登錄
非oracle安裝用戶遠(yuǎn)程sqlplus “/ as sysdba_on_install@sid as sysdba”無法登錄
(4)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安裝用戶本地sqlplus “/ as sysdba”能登錄
非oracle安裝用戶本機(jī)sqlplus “sys/change_on_install as sysdba”能登錄
非oracle安裝用戶遠(yuǎn)程sqlplus “/ as sysdba_on_install@sid as sysdba”能登錄
網(wǎng)公網(wǎng)安備