Shulou(Shulou.com)05/31 Report--

This article mainly explains "what are the effects of the three values of REMOTE_LOGIN_PASSWORDFILE parameters on the system". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what are the effects of the three values of REMOTE_LOGIN_PASSWORDFILE parameters on the system?"

In some cases, REMOTE_LOGIN_PASSWORDFILE parameters can be used to enhance the security of the system, which means that users with SYSDBA or SYSOPER privileges are prohibited from logging in to the database system from the client. This is a kind of sacrifice management convenience as the premise. It needs to be used as appropriate.

1. Reference information

Description of the REMOTE_LOGIN_PASSWORDFILE parameter in the official documentation:

Http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/initparams179.htm#REFRN10184

2. Analysis of REMOTE_LOGIN_PASSWORDFILE parameter default value and its behavior characteristics.

1) the default value of REMOTE_LOGIN_PASSWORDFILE parameter is EXCLUSIVE

Sys@ora10g > show parameter REMOTE_LOGIN_PASSWORDFILE

NAME TYPE VALUE

-

Remote_login_passwordfile string EXCLUSIVE

2) attempt to grant SYSDBA privileges to ordinary user secooler

Sys@ora10g > grant sysdba to secooler

Grant sysdba to secooler

*

ERROR at line 1:

ORA-01994: GRANT failed: password file missing or disabled

The error reported here is due to the loss of the password file because the password file needs to be adjusted to grant sysdba permissions.

3) manually create the missing password file

Ora10g@secdb / home/oracle$ cd $ORACLE_HOME/dbs

Ora10g@secdb / oracle/app/oracle/product/10.2.0/db_1/dbs$

Ora10g@secdb / oracle/app/oracle/product/10.2.0/db_1/dbs$ orapwd file=orapwora10g password=oracle entries=10

4) SYSDBA authorization is successful when trying again

Sys@ora10g > grant sysdba to secooler

Grant succeeded.

5) changes in password files

The authorization information is recorded in the password file at this time.

Ora10g@secdb / oracle/app/oracle/product/10.2.0/db_1/dbs$ strings orapwora10g

]\ [Z

ORACLE Remote Password file

INTERNAL

AB27B53EDC5FEF41

8A8F025737A9097A

SECOOLER

034E4342BB2D437D

The last two lines of information are the new content.

6) client connectivity test

$sqlplus secooler/secooler@ora10g as sysdba

SQL*Plus: Release 10.2.0.3.0-Production on Tuesday December 21 21:48:34 2010

Copyright (c) 1982, 2006, Oracle.? All Rights Reserved.

Connect to:

Oracle Database 10g Enterprise Edition Release 10.2.0.3.0-64bit Production

With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options

SQL > show user

USER is "SYS"

SQL >

Note that although we are using the database logged in by the normal user secooler, the real user name is SYS. So we can use this method to manage the database, which is the convenience.

7) artificial removal password file test

If we delete the password file at this time, the client will no longer be able to connect to the database with sysdba privileges

$sqlplus secooler/secooler@ora10g as sysdba

SQL*Plus: Release 10.2.0.3.0-Production on Tuesday December 21 21:53:50 2010

Copyright (c) 1982, 2006, Oracle.? All Rights Reserved.

ERROR:

ORA-01031: insufficient privileges

Please enter a user name:

Therefore, through the REMOTE_LOGIN_PASSWORDFILE parameters and password files, the client can log on to the system with SYSDBA permissions.

3. Analysis of REMOTE_LOGIN_PASSWORDFILE parameter NONE value and its behavior characteristics.

1) adjust the parameter REMOTE_LOGIN_PASSWORDFILE to NONE

Sys@ora10g > alter system set remote_login_passwordfile=none scope=spfile

System altered.

Sys@ora10g > shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

Sys@ora10g > startup

ORACLE instance started.

Total System Global Area 835104768 bytes

Fixed Size 2257840 bytes

Variable Size 549456976 bytes

Database Buffers 281018368 bytes

Redo Buffers 2371584 bytes

Database mounted.

Database opened.

Sys@ora10g > show parameter REMOTE_LOGIN_PASSWORDFILE

NAME TYPE VALUE

-

Remote_login_passwordfile string NONE

2) after adjustment, the client will not be able to initiate a connection

$sqlplus secooler/secooler@ora10g as sysdba

SQL*Plus: Release 10.2.0.3.0-Production on Tuesday December 21 22:00:02 2010

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

ERROR:

ORA-01017: invalid username/password; logon denied

Please enter a user name:

3) the grant and recovery of SYSDBA authority is also prohibited.

(1) authorized testing

Sys@ora10g > grant sysdba to secooler

Grant sysdba to secooler

*

ERROR at line 1:

ORA-01994: GRANT failed: password file missing or disabled

Note that the reason for the error here is not that the password file does not exist, which is different from the error message mentioned earlier.

(2) Recycling test

Sys@ora10g > revoke sysdba from secooler

Revoke succeeded.

Although it is prompted here that the permission recovery is successful, it does not actually take effect and is an invalid operation. Prove it.

On this basis, the parameter is adjusted to EXCLUSIVE

Sys@ora10g > alter system set remote_login_passwordfile=EXCLUSIVE scope=spfile

System altered.

Sys@ora10g > startup force

ORACLE instance started.

Total System Global Area 835104768 bytes

Fixed Size 2257840 bytes

Variable Size 549456976 bytes

Database Buffers 281018368 bytes

Redo Buffers 2371584 bytes

Database mounted.

Database opened.

At this time, the client can still log in successfully.

$sqlplus secooler/secooler@172.17.193.211ora10g as sysdba

SQL*Plus: Release 10.2.0.3.0-Production on Tuesday December 21 22:06:05 2010

Copyright (c) 1982, 2006, Oracle.? All Rights Reserved.

Connect to:

Oracle Database 10g Enterprise Edition Release 10.2.0.3.0-64bit Production

With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options

SQL > show user

USER is "SYS"

SQL >

SQL > show parameter REMOTE_LOGIN_PASSWORDFILE

NAME TYPE VALUE

-

Remote_login_passwordfile string EXCLUSIVE

Conclusion: therefore, it is proved that it is invalid to recover SYSDBA permissions when the REMOTE_LOGIN_PASSWORDFILE parameter is NONE.

Analysis of the shared value of 4.REMOTE_LOGIN_PASSWORDFILE parameter and its behavior characteristics

1) adjust the parameter REMOTE_LOGIN_PASSWORDFILE to SHARED

Sys@ora10g > alter system set remote_login_passwordfile=shared scope=spfile

System altered.

Sys@ora10g > startup force

ORACLE instance started.

Total System Global Area 835104768 bytes

Fixed Size 2257840 bytes

Variable Size 549456976 bytes

Database Buffers 281018368 bytes

Redo Buffers 2371584 bytes

Database mounted.

Database opened.

Sys@ora10g > show parameter remote_login_passwordfile

NAME TYPE VALUE

-

Remote_login_passwordfile string SHARED

2) at this time, the connection of the client is unrestricted and smooth.

$sqlplus secooler/secooler@ora10g as sysdba

SQL*Plus: Release 10.2.0.3.0-Production on Tuesday December 21 22:08:04 2010

Copyright (c) 1982, 2006, Oracle.? All Rights Reserved.

Connect to:

Oracle Database 10g Enterprise Edition Release 10.2.0.3.0-64bit Production

With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options

SQL >

SQL > show user

USER is "SYS"

3) it is not allowed to grant and reclaim SYSDBA permissions on the server side.

Sys@ora10g > grant sysdba to secooler

Grant sysdba to secooler

*

ERROR at line 1:

ORA-01999: password file cannot be updated in SHARED mode

Sys@ora10g > revoke sysdba from secooler

Revoke sysdba from secooler

*

ERROR at line 1:

ORA-01999: password file cannot be updated in SHARED mode

5. Summary

Here is a summary of the behavior characteristics when the REMOTE_LOGIN_PASSWORDFILE parameter takes different values. The REMOTE_LOGIN_PASSWORDFILE parameter can have three values: EXCLUSIVE (default), NONE, and SHARED.

1) when the value is EXCLUSIVE

Allows the client to log in to the database instance with SYSDBA or SYSOPER privileges to complete database management operations

Allows you to grant and reclaim SYSDBA or SYSOPER permissions.

2) when the value is NONE

Prohibit clients from logging in to the database instance with SYSDBA or SYSOPER permissions to complete database management operations

It is prohibited to grant and reclaim SYSDBA or SYSOPER permissions.

3) when the value is SHARED

Allows the client to log in to the database instance with SYSDBA or SYSOPER privileges to complete database management operations

It is prohibited to grant and reclaim SYSDBA or SYSOPER permissions.

The above is the impact of the parameter REMOTE_LOGIN_PASSWORDFILE on the system under different values (this article takes the SYSDBA privilege as an example, the SYSOPER privilege is the same). Each value has its own application scenario. What we need to do is to make choices according to different scenarios.

Thank you for your reading, the above is the content of "what are the effects of the three values of REMOTE_LOGIN_PASSWORDFILE parameters on the system". After the study of this article, I believe you have a deeper understanding of the impact of the three values of REMOTE_LOGIN_PASSWORDFILE parameters on the system, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.