oracle用户有两种认证方式:
- 操作系统认证(要求该用户属于本地DBA组,然后通过操作系统认证登录oracle,从而启动数据库)
- 密码文件认证
oracle使用哪种认证方式决定在于两个参数:
1.remote_login_passwordfile=none|exclusive|shared
- none:不使用密码文件认证。如果选择了这个值,就相当于屏蔽了密码文件的内容了。
- exclusive:要密码文件认证,自己独占使用(默认值)
- shared:要密码文件认证,不同实例dba用户可以共享密码文件
2.位于$ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES=none|all|nts- none:关闭操作系统认证,只能密码认证
- all:用于linux/unix平台,关闭本机密码文件认证,采用操作系统认证
- nts:用于windows平台
测试远程登录的时候密码文件丢失情况
$ rm -rf $ORACLE_HOME/dbs/orapw$ORACLE_SID $ sqlplus sys/mypna123@userdata as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Tue Sep 12 17:01:15 2017 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. ERROR: ORA-01031: insufficient privileges Enter user-name: $ orapwd file=orapw$ORACLE_SID password=mypna123 entries=3 $ sqlplus sys/mypna123@userdata as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Tue Sep 12 17:11:18 2017 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SYS@userdata>
可以看到默认配置下,丢失密码文件后,不可以远程登录数据库,只可以本地系统认证后登录数据库
测试remote_login_passwordfile为exclusive,AUTHENTICATION_SERVICES为none的情况
SYS@userdata>show parameter remote_login_passwordfile; NAME TYPE VALUE ------------------------------------ --------------------------------- ------------------------------ remote_login_passwordfile string EXCLUSIVE $ echo "SQLNET.AUTHENTICATION_SERVICES=NONE" >> $ORACLE_HOME/network/admin/sqlnet.ora $ sqlplus / as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Tue Sep 12 17:21:36 2017 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. ERROR: ORA-01031: insufficient privileges Enter user-name: $ sqlplus sys/mypna123@userdata as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Tue Sep 12 17:21:41 2017 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SYS@userdata>
可以看到在remote_login_passwordfile为exclusive,AUTHENTICATION_SERVICES为none的情况下,数据库只能使用密码文件认证方式
测试remote_login_passwordfile为exclusive,AUTHENTICATION_SERVICES为all的情况
SYS@userdata>show parameter remote_login_passwordfile; NAME TYPE VALUE ------------------------------------ --------------------------------- ------------------------------ remote_login_passwordfile string EXCLUSIVE $ cat $ORACLE_HOME/network/admin/sqlnet.ora SQLNET.AUTHENTICATION_SERVICES=ALL $ sqlplus sys/mypna123@userdata as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Tue Sep 12 23:17:54 2017 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. ERROR: ORA-12641: Authentication service failed to initialize Enter user-name: $ sqlplus / as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Tue Sep 12 23:18:05 2017 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SYS@userdata>
可以看到在remote_login_passwordfile为exclusive,AUTHENTICATION_SERVICES为all的情况下本机登录只支持系统认证,不支持密码文件认证.普通用户和sys用户均不可以本地登录.但是远程登录是不受限制的.
看有哪些用户是拥有sysdba权限
SYS@userdata>grant sysdba to scott; Grant succeeded. SYS@userdata>select * from v$pwfile_users; USERNAME SYSDBA SYSOPER ---------------------------------------- --------------- --------------- SYS TRUE TRUE SCOTT TRUE FALSE