CNDBA社区
1 说明
在12.2中,通过强制执行相关管理员用户的profile密码的限制来提高管理员密码的安全性。
如:FAILED_LOGIN_COUNT, PASSWORD_LOCK_TIME, PASSWORD_GRACE_TIME, and PASSWORD_LIFE_TIME.
There is no special protection with the password file. The password verifiers must be stored outside of the database so that authentication can be performed even when the database is not open. In previous releases, password complexity functions were available for non-administrative users only. Starting with Oracle Database release 12c (12.2), password complexity functions can be used for both non-administrative users and administrative users.
从12.2开始,密码复杂性函数也用于管理员用户。
1.1 对于管理员用户的密码profile设置
以下几个profile设置参数是必须设置的:
l FAILED_LOGIN_ATTEMPT
l INACTIVE_ACCOUNT_TIME
l PASSWORD_LOCK_TIME
l PASSWORD_LIFE_TIME
l PASSWORD_GRACE_TIME
1.2 orapwd工具提高了密码的复杂性
In addition, for the ORAPWD utility, the restriction for the entries argument for the operating system password file has been removed.
并且orapwd工具取消了“entires”选项,经过测试创建了200个用户并授予sysdba权限都成功了。对于可以拥有sysdba权限的用户数量没有了限制。
创建脚本:
declare
sqltext1 varchar2(100);
sqltext2 varchar2(100);
begin
for i in 1..200
loop
sqltext1 := 'create user test'||i||' identified by test'||i;
sqltext2 := 'grant sysdba to test'||i;
execute immediate sqltext1;
execute immediate sqltext2;
end loop;
end;
密码复杂性增加如下:
Setting FORMAT to 12.2 enforces the following rules:
l The password contains no fewer than 8 characters and includes at least one numeric and one alphabetic character.
l The password is not the same as the user name or the user name reversed.
l The password is not the same as the database name.
l The password does not contain the word oracle (such as oracle123).
l The password differs from the previous password by at least 8 characters.
l The password contains at least 1 special character.
FORMAT=12.2 also applies the following internal checks:
n The password does not exceed 30 characters.
n The password does not contain the double-quotation character ("). However, it can be surrounded by double-quotation marks.
Configuring FORMAT=12.2 sets administrative users to use the default profile, which uses these settings:
l PASSWORD_LIFE_TIME: 180 days
l PASSWORD_GRACE_TIME: 7 days
l FAILED_LOGIN_ATTEMPTS: 10 attempts
1.2.1 验证
#orapwd创建密码文件--format选项
[oracle@cndba dbs]$ orapwd file=orapwtest password=oracle format=12.2
OPW-00029: Password complexity failed for SYS user : Password must contain at least 8 characters.
[oracle@cndba dbs]$ orapwd file=orapwtest password=oracle123 format=12.2
OPW-00029: Password complexity failed for SYS user : Password must contain at least 1 special charact
[oracle@cndba dbs]$ orapwd file=orapwtest password=oracle123 format=11.2
#查看默认profile设置
SQL> select profile,resource_name,limit from dba_profiles where resource_name in('PASSWORD_LIFE_TIME','PASSWORD_GRACE_TIME','FAILED_LOGIN_ATTEMPTS');
PROFILE RESOURCE_NAME LIMIT
------------------------------ ------------------------------ --------------------
DEFAULT FAILED_LOGIN_ATTEMPTS 10
DEFAULT PASSWORD_LIFE_TIME 180
DEFAULT PASSWORD_GRACE_TIME 7
#查看管理员用户的权限的相关信息,最后一次登录时间
SQL> select username,sysdba,ACCOUNT_STATUS,PASSWORD_PROFILE,LAST_LOGIN,EXPIRY_DATE from V$PWFILE_USERS;
版权声明:本文为博主原创文章,未经博主允许不得转载。
