【密碼】Oracle使用者密碼系列

lhrbest發表於2016-12-02

密碼 Oracle 使用者密碼系列

1.1   BLOG 文件結構圖

wpsDDB1.tmp 

1.2   前言部分

1.2.1   導讀和注意事項

各位技術愛好者,看完本文後,你可以掌握如下的技能,也可以學到一些其它你所不知道的知識, ~O(∩_∩)O~

使用者的 9 種狀態含義 (重點)

如何解鎖賬戶

如何修改密碼無效狀態

如何獲取密碼的密文,如何利用密文修改使用者的密碼 (重點)

如何查詢失敗的登陸次數

11g 密碼大小寫問題

⑦ 11g 密碼延遲驗證

密碼複雜性校驗

 

Tips

本文在 itpub http://blog.itpub.net/26736162 )、部落格園 ( http://www.cnblogs.com/lhrbest ) 和微信公眾號( xiaomaimiaolhr 有同步更新

文章中用到的所有程式碼 相關軟體 相關資料 及本文的 pdf 版本都 請前往小麥苗的雲盤下載 小麥苗的 雲盤地址見: http://blog.itpub.net/26736162/viewspace-1624453/

若網頁文章程式碼格式有錯亂, 下載 pdf 格式的文件來 閱讀

本篇 BLOG ,程式碼輸出部分一般放在一行一列的表格中。

本文 有錯誤或不完善的地方請大家多多指正,您的批評指正是我寫作的最大動力。

 

1.2.2   本文簡介

客戶的一個賬戶密碼過期了,但是客戶設定了永不過期,問到我為什麼。我當時覺得設定了永不過期那肯定是生效的,只是這個部分的內容忘得差不多了,當時還想到可能是 resource_limit 這個引數沒有設定為 TRUE 的緣故,後來查了官方文件才知道並不是這個原因。於是下決心把這部分的內容系統學習一下,自己總結的內容分享給大家。

1.3   使用 profile 管理使用者口令

Oracle 使用者的狀態是由密碼來決定的,而 Oracle 中的密碼是由 PROFILE 來配置的。 PROFILE 是口令限制 資源限制的命令集合 當建立資料庫 Oracle 會自動建立名稱為 DEFAULT PROFILE 。當 建立 使用者 沒有指定 PROFILE 選項 Oracle 就會將 DEFAULT 分配給使用者。

通過如下的命令可以查出與密碼相關的 PROFILE 的值:

  SELECT   *

   FROM DBA_PROFILES D

  WHERE D.PROFILE =   'DEFAULT'

    AND   ( D.RESOURCE_NAME LIKE   '%PASSWORD%'   OR

        D.RESOURCE_NAME =   'FAILED_LOGIN_ATTEMPTS' );

wpsDDB2.tmp 

每個引數的含義如下所示:

l  FAILED_LOGIN_ATTEMPTS  設定登入到 Oracle 資料庫時可以失敗的次數。一旦某使用者嘗試登入資料庫的達到該值時,該使用者的帳戶就被鎖定,只能由 DBA 能解鎖。

l  PASSWORD_LIFE_TIME  設定口令的有效時間(天數),一旦超過這一時間,必須重新設口令。預設為 UNLIMITED

l  PASSWORD_REUSE_TIME  許多系統不許使用者重新啟用過去用過的口令。該資源項設定了一個失效口令要經過多少天,使用者才可以重新使用該口令,預設為 UNLIMITED

l  PASSWORD_REUSE_MAX   重新啟用一個先前用過的口令前必須對該口令進行重新設定的次數(重複用的次數)。

l  PASSWORD_LOCK_TIME  設定帳戶被鎖定的天數(當登入失敗達到 FAILED_LOGIN_ATTEMPTS 時)。

l  PASSWORD_GRACE_TIME  設定在口令失效前,給予的重新設該口令的寬限天。當口令失效之後回,在登入時會出現警告資訊顯示該天數。如果沒有在寬限天內修改口令,口令將失效。

l  PASSWORD_VERITY_FUNCTION  該資源項允許呼叫一個 PL/SQL 來驗證口令。 Oracle 已提供該應用的指令碼,為 $ORACLE_HOME/rdbms/admin/utlpwdmg.sql 。但是,使用者可以制定自己的驗證指令碼。該引數的設定就是 PL/SQL 函式的名稱,預設為 NULL

1.3.1   修改密碼為永不過期

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,profile from dba_users where username = 'LHRSYS';

 

USERNAM ACCOUNT_STATUS                  EXPIRY_DATE         PROFILE

------- ------------------------------- ------------------- ------------------------------

LHRSYS  OPEN                            2016-12-07 15:20:36 TESTPROFILE

 

SYS@lhrdb> alter user lhrsys password expire;

 

User altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,profile from dba_users where username = 'LHRSYS';

 

USERNAM ACCOUNT_STATUS                  EXPIRY_DATE         PROFILE

------- ------------------------------- ------------------- ------------------------------

LHRSYS  EXPIRED                         2016-12-02 16:36:24 TESTPROFILE

 

SYS@lhrdb> ALTER PROFILE TESTPROFILE LIMIT PASSWORD_LIFE_TIME UNLIMITED;

 

Profile altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,profile from dba_users where username = 'LHRSYS';

 

USERNAM ACCOUNT_STATUS                  EXPIRY_DATE         PROFILE

------- ------------------------------- ------------------- ------------------------------

LHRSYS  EXPIRED                         2016-12-02 16:36:24 TESTPROFILE

 

SYS@lhrdb> SELECT NB.PASSWORD FROM USER$ NB WHERE NB.NAME ='LHRSYS';

 

PASSWORD

------------------------------

F809740420A44EFC

 

SYS@lhrdb> ALTER USER LHRSYS   IDENTIFIED BY VALUES 'F809740420A44EFC';

 

User altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,profile from dba_users where username = 'LHRSYS';

 

USERNAM ACCOUNT_STATUS                  EXPIRY_DATE         PROFILE

------- ------------------------------- ------------ ------- ------------------------------

LHRSYS  OPEN                                                TESTPROFILE

 

SYS@lhrdb>

 

1.3.2   ACCOUNT_STATUS 的九種狀態

wpsDDB3.tmp 

SYS@lhrdb> SELECT * FROM USER_ASTATUS_MAP;

 

   STATUS# STATUS

---------- --------------------------------

         0 OPEN

         1 EXPIRED

         2 EXPIRED(GRACE)

         4 LOCKED(TIMED)

         8 LOCKED

         5 EXPIRED & LOCKED(TIMED)

         6 EXPIRED(GRACE) & LOCKED(TIMED)

         9 EXPIRED & LOCKED

        10 EXPIRED(GRACE) & LOCKED

 

9 rows selected.

 

 

以上九種可以分為兩大類: 1. 基本狀態; 2. 組合狀態。

前五種是基本狀態:

         0 OPEN

         1 EXPIRED

         2 EXPIRED(GRACE)

         4 LOCKED(TIMED)

         8 LOCKED

 

後四種是組合狀態:

         5 EXPIRED & LOCKED(TIMED)

         6 EXPIRED(GRACE) & LOCKED(TIMED)

         9 EXPIRED & LOCKED

        10 EXPIRED(GRACE) & LOCKED

規律是這樣的:後四種的組合狀態可以通過狀態號 STATUS# 獲得它是哪兩種狀態的組合,例如 10=2+8 10 EXPIRED(GRACE) & LOCKED = 2 EXPIRED(GRACE) + 8 LOCKED )。因此只要瞭解基本狀態的含義其他便可無師自通。

這五種基本狀態又可以分為三類: 1. 正常狀態; 2. 鎖定狀態; 3. 密碼過期狀態。

1 OPEN 表示使用者處於正常狀態。

2 )使用者被鎖定狀態, LOCKED LOCKED(TIMED) 兩種狀態都屬於鎖定狀態

使用者被鎖定一般分為兩種:一種是 DBA 顯式的通過 SQL 語句對使用者進行鎖定;另外一種是被動的鎖定,例如預設情況下如果密碼輸入錯誤超過 10 次(這個限制是由 PROFILE 中的 FAILED_LOGIN_ATTEMPTS 控制的,該資訊可以通過 DBA_PROFILES 檢視查詢),使用者將被鎖定。

wps4FAF.tmp

1.3.2.1   鎖定狀態

一、  LOCKED

顯式鎖定 LHRSYS 使用者 LOCKED 狀態演示

SELECT D.USERNAME ,

       D.ACCOUNT_STATUS ,

       D.LOCK_DATE ,

       D.EXPIRY_DATE ,

       D.PROFILE ,

       NVL ( D.PASSWORD ,

           ( SELECT NB.PASSWORD FROM USER$ NB WHERE NB.NAME = D.USERNAME ))   PASSWORD

  FROM DBA_USERS D

  WHERE D.USERNAME =   'LHRSYS' ;

wpsDDC5.tmp 

SYS@lhrdb> ALTER USER LHRSYS ACCOUNT LOCK;

 

User altered.

 

SYS@lhrdb> conn lhrsys/lhr

ERROR:

ORA-28000: the account is locked

 

 

Warning: You are no longer connected to ORACLE.

@> conn /  as sysdba

Connected.

 

SYS@lhrdb> select username, account_status,d.lock_date from dba_users d where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   LOCK_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         LOCKED                           2016-12-02 09:33:50

 

SYS@lhrdb> ALTER USER LHRSYS ACCOUNT UNLOCK;

 

User altered.

 

SYS@lhrdb> select username, account_status,d.lock_date from dba_users d where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   LOCK_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         OPEN

 

 

二、  LOCKED(TIMED)

輸入 10 次錯誤密碼後被動鎖定 LOCKED(TIMED) 狀態演示

嘗試輸入 10 次錯誤密碼後再次查詢使用者狀態。

SYS@lhrdb> SELECT * FROM Dba_Profiles d WHERE d.profile='DEFAULT' AND D.resource_name LIKE '%FAILED_LOGIN_ATTEMPTS%' ;

 

PROFILE                        RESOURCE_NAME                    RESOURCE LIMIT

------------------------------ -------------------------------- -------- -------------------------------

DEFAULT                        FAILED_LOGIN_ATTEMPTS            PASSWORD 10

 

 

SYS@lhrdb> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

Warning: You are no longer connected to ORACLE.

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-28000: the account is locked <<<<<<<<<------ 超過10 次後使用者被鎖定

 

@> CONN / AS SYSDBA

Connected.

 

SYS@lhrdb> select username, account_status,d.lock_date from dba_users d where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   LOCK_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                        LOCKED(TIMED)                    2016-12-02 09:37:20

SYS@lhrdb>

SYS@lhrdb>

 

SYS@lhrdb> ALTER USER LHRSYS ACCOUNT UNLOCK;

 

User altered.

 

SYS@lhrdb> select username, account_status,d.lock_date from dba_users d where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   LOCK_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         OPEN

 

 

1.3.2.2   過期狀態

使用者密碼過期狀態, EXPIRED EXPIRED(GRACE) 兩種狀態都屬於密碼過期狀態

wpsDDC6.tmp 

一、  EXPIRED

密碼是否過期是通過修改 PROFILE 中的 PASSWORD_LIFE_TIME 實現的,密碼過期後還可以使用的天數是通過 PROFILE 中的 PASSWORD_GRACE_TIME 控制的。

關於密碼過期我們也可以使用 SQL 顯式的去完成,簡單演示一下。

SYS@lhrdb> select username, account_status,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         OPEN

 

SYS@lhrdb> alter user lhrsys password expire;

 

User altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         EXPIRED                          2016-12-01 16:29:01

 

SYS@lhrdb> conn lhrsys/lhr

ERROR:

ORA-28001: the password has expired

 

 

Changing password for lhrsys

New password:

Retype new password:

Password changed

Connected.

 

LHRSYS@lhrdb> conn / as sysdba

Connected.

SYS@lhrdb> select username, account_status,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         OPEN

 

 

 

下面通過修改系統的日期來演示:

SYS@lhrdb> SELECT D.USERNAME,

  2         D.ACCOUNT_STATUS,

  3         D.LOCK_DATE,

  4         D.EXPIRY_DATE,

  5         D.PROFILE,

  6         NVL(D.PASSWORD,

  7             (SELECT NB.PASSWORD FROM USER$ NB WHERE NB.NAME = D.USERNAME)) PASSWORD

  8    FROM DBA_USERS D

  9   WHERE D.USERNAME = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   LOCK_DATE           EXPIRY_DATE         PROFILE                        PASSWORD

------------------------------ -------------------------------- ------------------- ------------------- ------------------------------ ------------------------------

LHRSYS                         OPEN                                                                     DEFAULT                        F809740420A44EFC

 

SYS@lhrdb> create profile TESTPROFILE LIMIT password_life_time 5 password_grace_time 0; <<<<<<<<<------ 這裡將password_grace_time 設定為 0

 

Profile created.

 

SYS@lhrdb> alter user LHRSYS profile TESTPROFILE;

 

User altered.

 

 

SYS@lhrdb>  select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-07 14:50:36

 

-- 修改系統時間

[root@orcltest ~]# date '12071450'

Wed Dec  7 14:50:00 CST 2016

[root@orcltest ~]#

系統查詢:

SYS@lhrdb>  select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:50:19

 

SYS@lhrdb>  conn LHRSYS/lhr

Connected.

LHRSYS@lhrdb>  conn LHRSYS/lhr

ERROR:

ORA-28001: the password has expired

 

 

Changing password for LHRSYS

New password:

Password unchanged

Warning: You are no longer connected to ORACLE.

 

@> conn / as sysdba

Connected.

SYS@lhrdb>  select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         EXPIRED                           TESTPROFILE                    2016-12-12 10:36:06

 

 

SYS@lhrdb> alter user LHRSYS identified by lhr;

 

User altered.

 

SYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-12 14:52:54

 

 

二、  EXPIRED(GRACE)

當設定了 PASSWORD_GRACE_TIME 以後,第一次成功登入後到口令到期後有多少天時間可改變口令,在這段時間內,帳戶被提醒修改口令並可以正常登陸, account_status 顯示為 EXPIRED(GRACE) expired(grace) locked(timed) 系統的 profile 來進行控制的。

SYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-07 14:09:09

 

SYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-02 14:09:32

 

 

SYS@lhrdb> ALTER PROFILE TESTPROFILE LIMIT password_grace_time 3;

 

Profile altered.

 

SYS@lhrdb>  SELECT *

  2     FROM DBA_PROFILES D

  3    WHERE D.PROFILE = 'TESTPROFILE'

  4      AND (D.RESOURCE_NAME LIKE '%PASSWORD%' OR

  5          D.RESOURCE_NAME = 'FAILED_LOGIN_ATTEMPTS');

 

PROFILE                        RESOURCE_NAME                    RESOURCE LIMIT

------------------------------ -------------------------------- -------- ----------------------------------------

TESTPROFILE                    FAILED_LOGIN_ATTEMPTS            PASSWORD DEFAULT

TESTPROFILE                    PASSWORD_LIFE_TIME               PASSWORD 5

TESTPROFILE                    PASSWORD_REUSE_TIME              PASSWORD DEFAULT

TESTPROFILE                    PASSWORD_REUSE_MAX               PASSWORD DEFAULT

TESTPROFILE                    PASSWORD_VERIFY_FUNCTION         PASSWORD DEFAULT

TESTPROFILE                    PASSWORD_LOCK_TIME               PASSWORD DEFAULT

TESTPROFILE                    PASSWORD_GRACE_TIME              PASSWORD 3

 

7 rows selected.

 

SYS@lhrdb>

 

 

-- 修改系統時間

[root@orcltest ~]# date '12071408' <<<<<<<<<------ 14:09 過期,我們設定到 14:08

Wed Dec  7 14:08:00 CST 2016

[root@orcltest ~]#

 

系統查詢:

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:08:03

 

LHRSYS@lhrdb> conn lhrsys/lhr

Connected.

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:09:06

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:09:09

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:09:11 <<<<<<<<<------ 已過了密碼有效期

 

LHRSYS@lhrdb>  select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                              TESTPROFILE                    2016-12-07 14:09:09 <<<<<<<<<------ 但該使用者的狀態未改變,下面嘗試第一次登陸

 

LHRSYS@lhrdb> conn lhrsys/lhr

ERROR:

ORA-28002: the password will expire within 3 days <<<<<<<<<------ 第一次登陸後報錯,但使用者依然可以登陸,且EXPIRY_DATE 已經變化

 

 

Connected.

LHRSYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         EXPIRED(GRACE)                    TESTPROFILE                    2016-12-10 14:09:34

<<<<<<<<<------ 再次查詢狀態,變為了 EXPIRED(GRACE)

 

再次調整日期:

[root@orcltest ~]# date '12081430'

Thu Dec  8 14:30:00 CST 2016

 

LHRSYS@lhrdb>

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-08 14:30:12

 

LHRSYS@lhrdb>  conn lhrsys/lhr

ERROR:

ORA-28002: the password will expire within 2 days <<<<<<<<<------ 變為了2

 

 

Connected.

LHRSYS@lhrdb>

繼續更改日期:

[root@orcltest ~]# date '12101409'

Sat Dec 10 14:09:00 CST 2016

[root@orcltest ~]#

查詢:

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-10 14:09:07

 

 

LHRSYS@lhrdb> conn lhrsys/lhr

ERROR:

ORA-28002: the password will expire within 0 days <<<<<<<<<------ 變為了0

 

 

Connected.

 

LHRSYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         EXPIRED(GRACE)                   TESTPROFILE                    2016-12-10 14:09:34

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-10 14:09:39 <<<<<<<<<------ GRACE 日期已過

 

LHRSYS@lhrdb>  conn lhrsys/lhr

ERROR:

ORA-28001: the password has expired

 

 

Changing password for lhrsys

New password:

Password unchanged

Warning: You are no longer connected to ORACLE.

 

@> conn / as sysdba

Connected.

SYS@lhrdb>

SYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         EXPIRED                          TESTPROFILE                    2016-12-10 14:09:34

 

SYS@lhrdb>  alter user LHRSYS identified by lhr;

 

User altered.

 

SYS@lhrdb>  select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-15 14:13:08

 

SYS@lhrdb>

 

 

1.3.2.3   組合狀態

關於四種組合狀態的解釋

因為鎖定的兩種狀態( LOCKED LOCKED(TIMED) )和密碼過期的兩種狀態( EXPIRED EXPIRED(GRACE) )之間沒有關係。因此他們之間可以任意組合, 2×2=4 ,因此有四種組合狀態:

         5 EXPIRED & LOCKED(TIMED)

         6 EXPIRED(GRACE) & LOCKED(TIMED)

         9 EXPIRED & LOCKED

        10 EXPIRED(GRACE) & LOCKED

 

一、  EXPIRED & LOCKED

EXPIRED & LOCKED 狀態表示使用者 密碼過期且 同時處於鎖定狀態

SYS@lhrdb> select username,account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         OPEN                             2016-12-07 15:02:56

SYS@lhrdb>

SYS@lhrdb> alter user lhrsys password expire;

 

User altered.

 

SYS@lhrdb> select username,account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         EXPIRED                          2016-12-02 15:11:12

 

SYS@lhrdb> alter user lhrsys  account lock;

 

User altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         EXPIRED & LOCKED                 2016-12-01 16:51:38

 

SYS@lhrdb> alter user lhrsys  account unlock;

 

User altered.

 

SYS@lhrdb>  select username, account_status,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         EXPIRED                          2016-12-01 16:51:38

 

SYS@lhrdb>  alter user lhrsys identified by lhr;

 

User altered.

 

SYS@lhrdb>  select username, account_status,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         OPEN

 

 

 

 

二、  EXPIRED & LOCKED(TIMED)

EXPIRED & LOCKED(TIMED) 狀態表示使用者 密碼 過期後,錯誤密碼嘗試次數超過 PROFILE 中的 FAILED_LOGIN_ATTEMPTS 的限制

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         OPEN

 

 

SYS@lhrdb> alter user lhrsys password expire;

 

User altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE

------------------------------ -------------------------------- -------------------

LHRSYS                         EXPIRED                          2016-12-02 10:07:27

 

SYS@lhrdb> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

Warning: You are no longer connected to ORACLE.

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> conn / as sysdba

Connected.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         EXPIRED & LOCKED(TIMED)          2016-12-02 10:07:27 2016-12-02 10:09:03

 

SYS@lhrdb>

SYS@lhrdb> alter user lhrsys  account unlock;

 

User altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         EXPIRED                          2016-12-02 10:07:27

 

SYS@lhrdb> alter user lhrsys identified by lhr;

 

User altered.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         OPEN

 

SYS@lhrdb>

 

 

 

三、  EXPIRED(GRACE) & LOCKED

EXPIRED(GRACE) & LOCKED 狀態表示使用者在密碼過期後的有效期內被 DBA 手工鎖定。

LHRSYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-07 14:39:20

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:39:17

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:39:25

 

 

LHRSYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-07 14:39:20

 

LHRSYS@lhrdb> conn lhrsys/lhr

ERROR:

ORA-28002: the password will expire within 3 days

 

 

Connected.

LHRSYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         EXPIRED(GRACE)                   TESTPROFILE                    2016-12-10 14:39:54

 

LHRSYS@lhrdb> alter user lhrsys account lock;

 

User altered.

 

SYS@lhrdb>  select username,account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         EXPIRED(GRACE) & LOCKED           2016-12-10 14:39:54   2016-12-07 14: 40 :20

 

 

LHRSYS@lhrdb> alter user lhrsys account unlock;

 

User altered.

 

LHRSYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         EXPIRED(GRACE)                    TESTPROFILE                    2016-12-10 14:39:54

 

LHRSYS@lhrdb>  alter user LHRSYS identified by lhr;

 

User altered.

 

LHRSYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-12 14:40:46

 

LHRSYS@lhrdb>

 

四、  EXPIRED(GRACE) & LOCKED(TIMED)

EXPIRED(GRACE) & LOCKED(TIMED) 狀態表示使用者在密碼過期後的有效期內, 失敗 登入次數超過 PROFILE 中的 FAILED_LOGIN_ATTEMPTS 的限制

SYS@lhrdb>  select username,account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         OPEN                             2016-12-07 14:50:06

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-02 14:50:13

 

修改系統日期:

[root@orcltest ~]# date '12071450'

Wed Dec  7 14:50:00 CST 2016

[root@orcltest ~]#

查詢:

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:50:03

 

LHRSYS@lhrdb> select sysdate from dual;

 

SYSDATE

-------------------

2016-12-07 14:50:12

 

SYS@lhrdb>  select username,account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         OPEN                             2016-12-07 14:50:06

 

LHRSYS@lhrdb> conn lhrsys/lhr

ERROR:

ORA-28002: the password will expire within 3 days

 

 

Connected.

SYS@lhrdb>  select username,account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         EXPIRED(GRACE)                    2016-12-10 14:50:21

 

LHRSYS@lhrdb> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

Warning: You are no longer connected to ORACLE.

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

 

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> @> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-28000: the account is locked

 

 

@> conn / as sysdba

Connected.

SYS@lhrdb> select username,account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         EXPIRED(GRACE) & LOCKED(TIMED)    2016-12-10 14:50:21   2016-12- 07 14:5 3 : 30

 

 

SYS@lhrdb> alter user lhrsys account unlock;

 

User altered.

 

SYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         EXPIRED(GRACE)                   TESTPROFILE                    2016-12-10 14:50:21

 

SYS@lhrdb>  alter user LHRSYS identified by lhr;

 

User altered.

 

SYS@lhrdb> select username,account_status,profile,EXPIRY_DATE from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   PROFILE                        EXPIRY_DATE

------------------------------ -------------------------------- ------------------------------ -------------------

LHRSYS                         OPEN                             TESTPROFILE                    2016-12-1 2 14:5 5 :04

 

 

 

1.3.3   在不知道使用者密碼的情況下如何更改密碼

O racle 若使用者的密碼變為鎖定狀態( LOCKED LOCKED(TIMED) )則 DBA 直接執行 ALTER USER 使用者名稱 ACCOUNT UNLOCK 就可以 解鎖了。 但是 如果 使用者的狀態 變成 過期 狀態 EXPIRED EXPIRED(GRACE) ), DBA 必須要更改 使用者的 密碼賬戶才能重新使用 但有些時候 因為各種原因並不知道原密碼的明文是什麼 這時候 可以有如下 2 種辦法來更新密碼。

1.3.3.1   用原密碼的密文來更改密碼

Oracle 10g 中, DBA_USERS 檢視的 PASSWORD 欄位提供了密碼的密文形式,而在 Oracle 11g 中,該欄位被棄用了,內容為空,但是在基表 USER$ 中的 PASSWORD 欄位依然有記錄密文形式,所以可以通過如下的形式來獲取密碼的密文形式:

SELECT D.USERNAME ,

       D.ACCOUNT_STATUS ,

       D.LOCK_DATE ,

       D.EXPIRY_DATE ,

       D.PROFILE ,

       NVL ( D.PASSWORD ,

           ( SELECT NB.PASSWORD FROM USER$ NB WHERE NB.NAME = D.USERNAME ))   PASSWORD

  FROM DBA_USERS D

  WHERE D.USERNAME =   'LHRSYS' ;

wpsDDD6.tmp 

另外,可以通過 DBMS_METADATA.GET_DDL 包或者 expdp exp 命令來獲取建立使用者的語句從而獲取密碼的密文形式:

SYS@lhrdb> set long 9999

SYS@lhrdb> SELECT DBMS_METADATA.GET_DDL('USER', 'LHRSYS') DDL_SQL FROM DUAL;

 

DDL_SQL

--------------------------------------------------------------------------------

 

   CREATE USER "LHRSYS" IDENTIFIED BY VALUES 'S:853EA80BAE11F79D6946453F38059E30313FE84C96AE2EE4F3AA35A648BD; F809740420A44EFC '

      DEFAULT TABLESPACE "USERS"

      TEMPORARY TABLESPACE "TEMP"

 

 

SYS@lhrdb>

SYS@lhrdb>

 

 

獲取了密碼的密文後就可以用如下的命令來修改了,注意:使用密文的命令中多了一個 values 關鍵字:

SYS@lhrdb>

SYS@lhrdb> alter user LHRSYS identified by values 'F809740420A44EFC';

 

User altered.

 

SYS@lhrdb> CONN  LHRSYS/lhr@192.168.59.129/lhrdb

Connected.

LHRSYS@192.168.59.129/lhrdb> conn / as sysdba

Connected.

SYS@lhrdb> alter user LHRSYS identified by values 'S:853EA80BAE11F79D6946453F38059E30313FE84C96AE2EE4F3AA35A648BD;F809740420A44EFC';

 

User altered.

 

SYS@lhrdb> CONN  LHRSYS/lhr@192.168.59.129/lhrdb

Connected.

LHRSYS@192.168.59.129/lhrdb>

 

 

這種情況下 雖然我們不知道原密碼是什麼 但可以用它的密文來更改密碼 這樣 在不知道原密碼的情況下 既保持了密碼不改變 又可以把 expired 的狀態更改掉

MOS The Impact of PASSWORD_LIFE_TIME Database Profile Parameter Default to 180 Days on Network Charging and Control ( 文件 ID 1543668.1) 中搜到了如下的命令也可以直接獲取密碼:

SELECT SQLTEXT

  FROM   ( SELECT   NAME ,

               'alter user '   ||   NAME   ||   ' identified by values '''   ||

               PASSWORD   ||   ''';' SQLTEXT

          FROM USER$

         WHERE SPARE4 IS   NULL

           AND   PASSWORD   IS   NOT   NULL

        UNION

        SELECT   NAME ,

               'alter user '   ||   NAME   ||   ' identified by values '''   || SPARE4 ||   ';'   ||

               PASSWORD   ||   ''';' SQLTEXT

          FROM USER$

         WHERE SPARE4 IS   NOT   NULL

           AND   PASSWORD   IS   NOT   NULL )

  WHERE   NAME   =   'LHRSYS' ;

SYS@lhrdb> SELECT SQLTEXT

  2    FROM (SELECT NAME,

  3                 'alter user ' || NAME || ' identified by values ''' ||

  4                 PASSWORD || ''';' SQLTEXT

  5            FROM USER$

  6           WHERE SPARE4 IS NULL

  7             AND PASSWORD IS NOT NULL

  8          UNION

  9          SELECT NAME,

10                 'alter user ' || NAME || ' identified by values ''' || SPARE4 || ';' ||

11                 PASSWORD || ''';' SQLTEXT

12            FROM USER$

13           WHERE SPARE4 IS NOT NULL

14             AND PASSWORD IS NOT NULL)

15   WHERE NAME = 'LHRSYS';

 

SQLTEXT

------------------------------------------

alter user LHRSYS identified by values 'S:853EA80BAE11F79D6946453F38059E30313FE84C96AE2EE4F3AA35A648BD;F809740420A44EFC';

 

 

1.3.3.2   直接更新 USER$ 基表

不管使用者的狀態是什麼,通過更新 USER$ 表可以讓使用者處於 OPEN 狀態:

SYS@lhrdb> select username, account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         EXPIRED                          2016-12-02 10:40:09

 

SYS@lhrdb> UPDATE USER$ SET ASTATUS=0 WHERE NAME='LHRSYS';

 

1 row updated.

 

SYS@lhrdb> commit; <<<<<<<<<------ 及時提交

 

Commit complete.

 

SYS@lhrdb> select username, account_status,EXPIRY_DATE,lock_date from dba_users where username = 'LHRSYS';

 

USERNAME                       ACCOUNT_STATUS                   EXPIRY_DATE         LOCK_DATE

------------------------------ -------------------------------- ------------------- -------------------

LHRSYS                         OPEN

 

SYS@lhrdb>

 

 

1.3.4   user$.lCOUNT 列記錄了失敗的登陸次數

登入失敗, lcount 1 ;只要成功登入後, lcount 欄位就會置 0

SYS@lhrdb> select NAME,LCOUNT  from user$ a WHERE a.NAME='LHRSYS';

 

NAME                               LCOUNT

------------------------------ ----------

LHRSYS                                  0

 

SYS@lhrdb> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

Warning: You are no longer connected to ORACLE.

@> CONN  LHRSYS/XXXX@192.168.59.129/lhrdb

ERROR:

ORA-01017: invalid username/password; logon denied

 

 

@> conn / as sysdba

Connected.

SYS@lhrdb> select NAME,LCOUNT  from user$ a WHERE a.NAME='LHRSYS';

 

NAME                               LCOUNT

------------------------------ ----------

LHRSYS                                  2

 

SYS@lhrdb>

SYS@lhrdb> CONN  LHRSYS/lhr

Connected.

LHRSYS@lhrdb> conn / as sysdba

Connected.

SYS@lhrdb> select NAME,LCOUNT  from user$ a WHERE a.NAME='LHRSYS';

 

NAME                               LCOUNT

------------------------------ ----------

LHRSYS                                  0

 

SYS@lhrdb>

 

 

另外,審計表也記錄了登陸失敗的資訊:

SELECT d.username , d.timestamp , d.action_name , d.os_username , d.terminal

  FROM DBA_AUDIT_TRAIL D

  WHERE D.RETURNCODE =   1017

   AND D.USERNAME =   'LHRSYS'

  ORDER   BY d.timestamp DESC   ;

wpsDDD7.tmp 

 

1.3.5   11g 密碼區分大小寫 --sec_case_sensitive_logon

Property

Description

Parameter type

Boolean

Default value

true

Modifiable

ALTER SYSTEM

Range of values

true | false

Basic

No

Oracle 11g 開始,密碼區分大小寫,採用引數 sec_case_sensitive_logon 控制,該引數預設為 TRUE

 

SEC_CASE_SENSITIVE_LOGON enables or disables password case sensitivity in the database.

Values:

true Database logon passwords are case sensitive.

false Database logon passwords are not case sensitive.

 

1.3.6   密碼延遲驗證

11g 開始,如果一個使用者使用不正確的密碼嘗試登入資料庫,那麼隨著登入失敗次數的增加,每次登入驗證前延遲等待的時間也會增加。

 

通過設定 EVENTS 28401 可以遮蔽密碼延遲驗證:

SQL> ALTER SYSTEM SET EVENT = '28401 TRACE NAME CONTEXT FOREVER, LEVEL 1' SCOPE = SPFILE

 

設定該事件後重啟資料庫即可。

[oracle@orcltest ~]$ oerr ora 28401

28401, 00000, "Event to disable delay after three failed login attempts"

// *Document: NO

// *Cause: N/A

// *Action: Set this event in your environment to disable the login delay

//          which will otherwise take place after three failed login attempts.

// *Note: THIS IS NOT A USER ERROR NUMBER/MESSAGE. THIS DOES NOT NEED TO BE

//        TRANSLATED OR DOCUMENTED.

[oracle@orcltest ~]$

 

 

1.3.7   哪些使用者密碼沒有被修改過

Oracle 11g 中對於安全方面進行了很大的改進,比如增加了密碼大小寫驗證,增加了密碼複雜度的驗證等等。在 Oracle 11g 中還提供了一個檢視 DBA_USERS_WITH_DEFPWD 用來指出那些使用者的密碼沒有被修改過,仍然是資料庫預設密碼。 Oracle 並不是簡單的監測是否密碼被修改,而是檢查密碼是否修改為別的值,如果新密碼和舊密碼保持一致,那麼即使密碼被修改,這個使用者仍然在 DBA_USERS_WITH_DEFPWD 檢視中。

SELECT   *   FROM DBA_USERS_WITH_DEFPWD ;

wpsDDD8.tmp 

 

1.3.8   密碼複雜性校驗

指令碼位置: $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

wpsDDD9.tmp

[oracle@orcltest ~]$ ll $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

-rw-r--r-- 1 oracle oinstall 11555 Aug 13  2006 /u02/app/oracle/product/11.2.0/dbhome_1/rdbms/admin/utlpwdmg.sql

[oracle@orcltest ~]$

 

SYS@lhrdb> @?/rdbms/admin/utlpwdmg.sql

 

Function created.

 

 

Profile altered.

 

 

Function created.

 

SYS@lhrdb>

 

 

該指令碼中有如下的一段:

ALTER PROFILE DEFAULT LIMIT

PASSWORD_LIFE_TIME 180

PASSWORD_GRACE_TIME 7

PASSWORD_REUSE_TIME UNLIMITED

PASSWORD_REUSE_MAX UNLIMITED

FAILED_LOGIN_ATTEMPTS 10

PASSWORD_LOCK_TIME 1

PASSWORD_VERIFY_FUNCTION verify_function_11G;

 

更改之後檢視:

SYS@lhrdb> SELECT * FROM Dba_Profiles d WHERE d.profile='DEFAULT';

 

PROFILE                        RESOURCE_NAME                    RESOURCE LIMIT

------------------------------ -------------------------------- -------- ----------------------------------------

DEFAULT                        COMPOSITE_LIMIT                  KERNEL   UNLIMITED

DEFAULT                        SESSIONS_PER_USER                KERNEL   UNLIMITED

DEFAULT                        CPU_PER_SESSION                  KERNEL   UNLIMITED

DEFAULT                        CPU_PER_CALL                     KERNEL   UNLIMITED

DEFAULT                        LOGICAL_READS_PER_SESSION        KERNEL   UNLIMITED

DEFAULT                        LOGICAL_READS_PER_CALL           KERNEL   UNLIMITED

DEFAULT                        IDLE_TIME                        KERNEL   UNLIMITED

DEFAULT                        CONNECT_TIME                     KERNEL   UNLIMITED

DEFAULT                        PRIVATE_SGA                      KERNEL   UNLIMITED

DEFAULT                        FAILED_LOGIN_ATTEMPTS            PASSWORD 10

DEFAULT                        PASSWORD_LIFE_TIME               PASSWORD 180

DEFAULT                        PASSWORD_REUSE_TIME              PASSWORD UNLIMITED

DEFAULT                        PASSWORD_REUSE_MAX               PASSWORD UNLIMITED

DEFAULT                        PASSWORD_VERIFY_FUNCTION         PASSWORD VERIFY_FUNCTION_11G

DEFAULT                        PASSWORD_LOCK_TIME               PASSWORD 1

DEFAULT                        PASSWORD_GRACE_TIME              PASSWORD 7

 

16 rows selected.

 

SYS@lhrdb> create user lhrpwd identified by lhr;

create user lhrpwd identified by lhr

*

ERROR at line 1:

ORA-28003: password verification for the specified password failed

ORA-20001: Password length less than 8

 

 

SYS@lhrdb>

SYS@lhrdb> alter profile default limit PASSWORD_VERIFY_FUNCTION null; <<<<<<<<<------ 取消複雜性驗證

 

Profile altered.

 

SYS@lhrdb> create user lhrpwd identified by lhr;

 

User created.

 

SYS@lhrdb> alter profile default limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION_11G; <<<<<<<------ 啟用密碼複雜性驗證

 

Profile altered.

 

SYS@lhrdb>

 

 

 

1.3.9   resource_limit

官方文件資料:

To create a profile, you must have the CREATE PROFILE system privilege.

To specify resource limits for a user, you must:

?Enable resource limits dynamically with the ALTER SYSTEM statement or with the initialization parameter RESOURCE_LIMIT. This parameter does not apply to password resources. Password resources are always enabled.

?Create a profile that defines the limits using the CREATE PROFILE statement

?Assign the profile to the user using the CREATE USER or ALTER USER statement

 

1) 使用者所有擁有的 PROFILE 中有關密碼的限制永遠生效,不受限制。
2 )使用者所有擁有的 PROFILE 中有關資源的限制與 resource_limit 引數的設定有關,當為 TRUE 時生效,當為 FALSE 時(預設值是 FALSE )無效。







About Me

...............................................................................................................................

● 本文作者:小麥苗,只專注於資料庫的技術,更注重技術的運用

● 本文在itpub(http://blog.itpub.net/26736162)、部落格園(http://www.cnblogs.com/lhrbest)和個人微信公眾號(xiaomaimiaolhr)上有同步更新

● 本文itpub地址:http://blog.itpub.net/26736162/viewspace-2129595/

● 本文部落格園地址:http://www.cnblogs.com/lhrbest/p/6127710.html

● 本文pdf版及小麥苗雲盤地址:http://blog.itpub.net/26736162/viewspace-1624453/

● 資料庫筆試面試題庫及解答:http://blog.itpub.net/26736162/viewspace-2134706/

● QQ群:230161599     微信群:私聊

● 聯絡我請加QQ好友(646634621),註明新增緣由

● 於 2016-12-01 15:00 ~ 2016-12-02 23:00 在魔都完成

● 文章內容來源於小麥苗的學習筆記,部分整理自網路,若有侵權或不當之處還請諒解

● 版權所有,歡迎分享本文,轉載請保留出處

...............................................................................................................................

拿起手機使用微信客戶端掃描下邊的左邊圖片來關注小麥苗的微信公眾號:xiaomaimiaolhr,掃描右邊的二維碼加入小麥苗的QQ群,學習最實用的資料庫技術。

【密碼】Oracle使用者密碼系列
DBA筆試面試講解
歡迎與我聯絡

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/26736162/viewspace-2129595/,如需轉載,請註明出處,否則將追究法律責任。

相關文章