[20180316]改變oracle使用者口令時限.txt

[20180316]改變oracle使用者口令時限.txt

--//昨天看了一篇blog,Stop password for user accounts expiring on Exadata,連結:
--//https://blog.zeddba.com/2018/03/14/stop-password-for-user-accounts-expiring-on-exadata/
--//裡面提到oracle使用者的口令時限,關於這個問題實際上我已經在以前遭遇到這個問題.直接結果匯出
--//cron無法正常執行,自己也做一個記錄:

#  chage -l oracle
Last password change                                    : Aug 21, 2015
Password expires                                        : May 16, 2018
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 1
Maximum number of days between password change          : 999
Number of days of warning before password expires       : 7

--//實際上我已經修改過1次,要到2018/5/16號到期.

SCOTT@book> select to_date('2015/8/21','yyyy/mm/dd')+999 dd from dual ;
DD
-------------------
2018-05-16 00:00:00

--//正好一致.可以看看grid使用者,我沒有修改的情況:
#  chage -l grid
Last password change                                    : Oct 10, 2014
Password expires                                        : Jul 05, 2017
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 1
Maximum number of days between password change          : 999
Number of days of warning before password expires       : 7

--//可以發現grid使用者口令早已經到期.作者提供修改建議:
The manual page for chage explains the switches:

-d, --lastday LAST_DAY
Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in
the format YYYY-MM-DD (or the format more commonly used in your area). If the LAST_DAY is set to 0 the user is forced
to change his password on the next log on.

-E, --expiredate EXPIRE_DATE
Set the date or number of days since January 1, 1970 on which the user's account will no longer be accessible. The date
may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). A user whose account is
locked must contact the system administrator before being able to use the system again.

Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.

-m, --mindays MIN_DAYS
Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the
user may change his/her password at any time.

-M, --maxdays MAX_DAYS
Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current
day, the user will be required to change his/her password before being able to use his/her account. This occurrence can
be planned for in advance by use of the -W option, which provides the user with advance warning.

Passing the number -1 as MAX_DAYS will remove checking a password's validity.

#  chage -d 9999 -E -1 -m 0 -M -1 oracle
#  chage -l oracle
Last password change                                    : May 18, 1997
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : -1
Number of days of warning before password expires       : 7

--//這樣永遠不會到期.感到奇怪的-d引數:
-d, --lastday LAST_DAY
Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in
the format YYYY-MM-DD (or the format more commonly used in your area). If the LAST_DAY is set to 0 the user is forced
to change his password on the next log on.

SCOTT@book> select to_date('1970/1/1','yyyy/mm/dd')+9999 dd from dual ;
DD
-------------------
1997-05-18 00:00:00

--//實際上這些與安全等保相互矛盾的.我不知道我們團隊是否知道.其實我上次已經跟實施等保人員講了這方面問題.
--//我不知道我們團隊的開發如何監測與管理的,對於這樣的團隊真心失望.
--//你要限制口令時限,必須要知道它可能帶來的後果.