Oracle authentication

Secure External Password Store using wallet

January 5, 2012 oracle, security No comments

Oracle Wallet的使用

最近看到一封邮件,该网友提出了如下需求:


This is not exactly an Oracle question, but I am asking it here in case
someone has solved this. We have alot of jobs that log into our Oracle
databases. Some of them use ops$oracle accounts. In the future we are not
allowed to use ops$oracle and need to provide passwords. I am trying to
find a method, or program/script that allows us to do the following.
1. store oracle passwords in unix in a lock box
2. only given processes and users can access specific passwords
3. program/process/script has customizable logic that only lets specific jobs access the password.
4. We are mainly using Cron for our jobs, but may be using some other job schedulers in the future that have morefeatures.
5. you cannot access the passwords from a user account

这种需求用oracle wallet实现是一个不错的选择

oracle wallet是一个加密的RKCS#12文件

PKCS #12

An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that describes a transfer syntax for storing and transferring personal authentication credentials—typically in a format called a wallet.

创建wallet的方法分别有如下几种:

–> 手动调用OWM 进行GUI图形界面进行操作
–> 手工运行mkstore命令创建
–> alter system set encryption key identified by “xxxxx”;

现在我们用mkstroe的方法测试一下wallet

环境:服务器端11.2.0.2 ,client 端10.2.0.5

服务器端:

[oracle@testdb admin]$ cat sqlnet.ora

#SQLNET.INBOUND_CONNECT_TIMEOUT = 120
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /data/oracle/product/11202/db1/network/admin)
)
)

SQLNET.WALLET_OVERRIDE = TRUE
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0

SQLNET.WALLET_OVERRIDE = TRUE设置将会使wallet认证优先于任何存在的os认证,下面我们来创建一个wallet


mkstore -wrl /data/oracle/product/11202/db1/network/admin -create
Oracle Secret Store Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter password:
PKI-01002: Invalid password.
Enter password:
PKI-01002: Invalid password.

这里提示密码格式错误,我们使用www.vmcd.org作为password

[oracle@testdb admin]$ mkstore -wrl /data/oracle/product/11202/db1/network/admin -create
Oracle Secret Store Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:

在11gR2中,可以通过下面command 使用auto login local属性,设置此属性后直接cp的wallet文件将无法远程登陆

orapki wallet create -wallet “/u01/app/oracle/…” -pwd “mypassword” -auto_login_local


The external security module can use wallets with the automatic login feature enabled. These wallets remain open all the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.

You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created.

下面我们继续创建wallet连接用户

[oracle@testdb admin]$ cat tnsnames.ora
www238 =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(service = wwf238 )
)
)
wuxuan1 =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(sid = wuxuan1)
)
)

huali =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(sid = huali)
)
)

使用huali字符串连接liu的用户

[oracle@testdb admin]$ sqlplus ‘/as sysdba’

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 5 09:31:43 2012

Copyright (c) 1982, 2010, Oracle. All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> create user liu identified by liu account unlock;

User created.

SQL> grant dba to liu;

Grant succeeded.

SQL> !

mkstore -wrl $ORACLE_HOME/network/admin/ -createCredential huali liu “liu”
mkstore -wrl $ORACLE_HOME/network/admin/ -listCredential
Oracle Secret Store Tool : Version 11.2.0.2.0 – Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)
1: huali liu

连接目标数据库

[oracle@testdb admin]$ sqlplus /@huali

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 5 10:47:11 2012

Copyright (c) 1982, 2010, Oracle. All rights reserved.

Error accessing PRODUCT_USER_PROFILE
Warning: Product user profile information not loaded!
You may need to run PUPBLD.SQL as SYSTEM

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show user
USER is “LIU”
SQL>

注意:如果user修改了password 那么wallet里面的password 需要相应修改:

mkstore -wrl -modifyCredential mkstore -wrl -deleteCredential

对于wallet的管理我们可以使用owm图形工具,下图显示使用auto login登陆:

[oracle@testdb admin]$ owm
Done.

手动关闭和开启wallet

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY “password”
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY “password”

客户端连接测试:

mkstore -wrl /data/oracle/product/10.2/db1/network/admin -create
Enter password:
Enter password again:

[oracle@testdb2 admin]$ mkstore -wrl $ORACLE_HOME/network/admin/ -createCredential huali liu “liu”
Enter wallet password:
Create credential oracle.security.client.connect_string1
You have new mail in /var/spool/mail/oracle

[oracle@testdb2 admin]$ mkstore -wrl $ORACLE_HOME/network/admin/ -listCredential
Enter wallet password:
List credential (index: connect_string username)
1: huali liu

[oracle@testdb2 admin]$ cat tnsnames.ora

huali =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.110.238)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(sid = huali)
)
)

[oracle@testdb2 admin]$ sqlplus /@huali

SQL*Plus: Release 10.2.0.5.0 – Production on Thu Jan 5 10:17:09 2012

Copyright (c) 1982, 2010, Oracle. All Rights Reserved.

Error accessing PRODUCT_USER_PROFILE
Warning: Product user profile information not loaded!
You may need to run PUPBLD.SQL as SYSTEM

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show user
USER is “LIU”
SQL>
SQL>
SQL> !

Oracle 登录方式以及验证

November 30, 2011 maintain, oracle No comments

数据库用sysdba登录的验证有两种方式,一种是通过os认证,一种是通过密码文件验证;登录方式有两种,一种是在数据库主机直接登录(用os认证的方式),一种是通过网络远程登录;需要设置的参数有两个,一个是SQLNET.AUTHENTICATION_SERVICES,一个是REMOTE_LOGIN_PASSWORDFILE。

os认证:如果启用了os认证,以sysdba登录,那么我们只要用oracle软件的安装用户就能登录:sqlplus “/ as sysdba”。如果我们要禁用os认证,只利用密码文件登录,我们首先要有一个密码文件:

D:\oracle\ora92\database>orapwd file=PWDoralocal.ora password=mypassword entries=10;

D:\oracle\ora92\database>
然后我们要把$ORACLE_HOME/network/admin/sqlnet.ora中设置:

SQLNET.AUTHENTICATION_SERVICES= none
注意一下,密码文件只在数据库启动的时候加载进去,一旦加载进去,密码文件就脱离了oracle管理,所以我们用orapwd新建密码文件后,里面指定的密码要在数据重启后才能生效:

D:\oracle\ora92\database>sqlplus “sys/mypassword as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Fri May 16 21:59:42 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

### 这里我们通过改SQLNET.AUTHENTICATION_SERVICES= (NTS)用os认证登录数据库:
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> startup
ORACLE instance started.

Total System Global Area 135338868 bytes
Fixed Size 453492 bytes
Variable Size 109051904 bytes
Database Buffers 25165824 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>

### 我们把SQLNET.AUTHENTICATION_SERVICES= (NTS)改回去。
D:\oracle\ora92\database>sqlplus “/ as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Fri May 16 22:03:59 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>
D:\oracle\ora92\database>sqlplus “sys/mypassword as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Fri May 16 22:04:07 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.50.29)> exit
在这里,我们看到这个新改的密码要数据库重启后加载才生效。同时我们看到,用os认证是无法登录的,但是通过网络(用@sid)是可以登录。

D:\oracle\ora92\database>sqlplus “/ as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 00:58:32 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

D:\oracle\ora92\database>
D:\oracle\ora92\database>sqlplus “sys/mypassword as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 00:59:15 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)>
sys@ORALOCAL(192.168.50.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

D:\oracle\ora92\database>sqlplus “sys/mypassword@oralocal as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 00:59:38 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.50.29)>
至此,我们已经实现不用os认证(sqlplus “/ as sysdba”的方式登录不了)。那么我们怎么限制网络方面利用sysdba远程登录呢?我们可以设置初始化文件中的REMOTE_LOGIN_PASSWORDFILE=none。

注意,当REMOTE_LOGIN_PASSWORDFILE=none时,这个参数生效需要重启数据库,并且,一旦启用这个参数,将使用操作系统认证,不使用口令文件。因此如果REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none这个时候数据库是无法登录的。

D:\oracle\ora92\database>sqlplus “sys/change_on_install as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 01:28:58 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.50.29)> show parameter remote_login

NAME TYPE VALUE
———————————— ———– ——————————
remote_login_passwordfile string EXCLUSIVE
sys@ORALOCAL(192.168.50.29)> alter system set remote_login_passwordfile=none scope=spfile;

System altered.

Elapsed: 00:00:00.01
sys@ORALOCAL(192.168.50.29)> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ORALOCAL(192.168.50.29)> startup
ORA-01031: insufficient privileges
sys@ORALOCAL(192.168.50.29)>exit

C:\Documents and Settings\Administrator>sqlplus “/ as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 08:26:43 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

C:\Documents and Settings\Administrator>sqlplus “sys/change_on_install as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 08:26:53 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>sqlplus “sys/change_on_install@oralocal as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 08:27:03 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

C:\Documents and Settings\Administrator>
这里我们看到由于启用了REMOTE_LOGIN_PASSWORDFILE=none,使用os认证,不用密码文件认证,必须将SQLNET.AUTHENTICATION_SERVICES= none取消,不然是无法登录。我们改成SQLNET.AUTHENTICATION_SERVICES= (NTS)后再次测试。

### 非oracle软件安装软件用户:###
C:\Documents and Settings\hejianmin>sqlplus “/ as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 20:15:13 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

C:\Documents and Settings\hejianmin>
C:\Documents and Settings\hejianmin>sqlplus “sys/change_on_install as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 20:15:30 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

C:\Documents and Settings\hejianmin>
C:\Documents and Settings\hejianmin>sqlplus “sys/change_on_install@oralocal as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 20:15:42 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

C:\Documents and Settings\hejianmin>

### oracle 软件安装用户 ####
C:\Documents and Settings\Administrator>sqlplus “/ as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on 星期六 5月 17 20:19:13 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production中断开

C:\Documents and Settings\Administrator>sqlplus “sys/change_on_install as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on 星期六 5月 17 20:19:33 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production中断开

C:\Documents and Settings\Administrator>sqlplus “sys/change_on_install@oralocal as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on 星期六 5月 17 20:19:45 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.0.29)> exit
从Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production中断开

C:\Documents and Settings\Administrator>sqlplus “11/22 as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on 星期六 5月 17 20:19:58 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

连接到:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.0.29)>
在这里我们看到由于用了os认证,在oracle安装用户下,无论用什么方式都能登录。非oracle用户无论用什么用户都无法登录。

如果REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none时:

C:\Documents and Settings\Administrator>sqlplus “sys/change_on_install as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 20:30:57 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

sys@ORALOCAL(192.168.0.29)> exit
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 – Production

C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>sqlplus “/ as sysdba”

SQL*Plus: Release 9.2.0.1.0 – Production on Sat May 17 20:31:04 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus

C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>

总结:

以下针对linux平台测试
(1)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”无法登录
非oracle安装用户远程sqlplus “sys/sysdba_on_install@sid as sysdba”无法登录

(2)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”能登录
非oracle安装用户远程sqlplus “sys/change_on_install@sid as sysdba”能登录

(3)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= (NTS) –针对windows平台 待测:

–补充 注释 且SQLNET.AUTHENTICATION_SERVICES
本地 sqlplus ‘ /as sysdba’ 可以登陆
远程 sqlplus ‘sys/oracle@sid as sysdba’ 无法登陆 — also as sysoper

SQLNET.AUTHENTICATION_SERVICES=ALL
本地 sqlplus ‘ /as sysdba’ 可以登陆
远程 sqlplus ‘sys/oracle@sid as sysdba’ 无法登陆 — also as sysoper

(4)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= (NTS)–针对windows平台 待测

–补充 注释 且SQLNET.AUTHENTICATION_SERVICES

本地 sqlplus ‘ /as sysdba’ 可以登陆
远程 sqlplus ‘sys/oracle@sid as sysdba’ 可以登陆

SQLNET.AUTHENTICATION_SERVICES=ALL

本地 sqlplus ‘ /as sysdba’ 可以登陆
远程 sqlplus ‘sys/oracle@sid as sysdba’ 可以登陆 also as sysoper

总结:

以下针对windows平台测试

(1)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”无法登录
非oracle安装用户远程sqlplus “sys/change_on_install@sid as sysdba”无法登录

(2)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= none:
oracle安装用户本地sqlplus “/ as sysdba”无法登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”能登录
非oracle安装用户远程sqlplus “sys/change_on_install@sid as sysdba”能登录

(3)REMOTE_LOGIN_PASSWORDFILE=none且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安装用户本地sqlplus “/ as sysdba”能登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”可以登录
非oracle安装用户远程sqlplus “sys/change_on_install@sid as sysdba”无法登录

(4)REMOTE_LOGIN_PASSWORDFILE=exclusive且SQLNET.AUTHENTICATION_SERVICES= (NTS):
oracle安装用户本地sqlplus “/ as sysdba”能登录
非oracle安装用户本机sqlplus “sys/change_on_install as sysdba”能登录
非oracle安装用户远程sqlplus “sys/change_on_install@sid as sysdba”能登录

continue..