1. 口令文件的创建
可以使用oracle的orapwd命令来创建口令文件。口令文件的路径:$ORACLE_HOME/dbs,文件格式:orapw$ORACLE_SID
[oracle@node01 dbs]$ orapwd
Usage: orapwd file= entries= force= ignorecase= nosysdba=
where
file - name of password file (required),
password - password for SYS will be prompted if not specified at command line,
entries - maximum number of distinct DBA (optional),
force - whether to overwrite existing file (optional),
ignorecase - passwords are case-insensitive (optional),
nosysdba - whether to shut out the SYSDBA logon (optional Database Vault only).
There must be no spaces around the equal-to (=) character.
案例:
[oracle@node01 oracle]$ cd $ORACLE_HOME/dbs
[oracle@node01 dbs]$ echo $ORACLE_SID
prod
[oracle@node01 dbs]$ orapwd file=orapwprod password=sys
[oracle@node01 dbs]$ ls
hc_prod.dat hc_zlf.dat init.ora initprod.ora lkPROD orapwprod spfileprod.ora
[oracle@node01 dbs]$
2. 查看口令文件中包含哪些用户(含有sysdba、sysoper、sysasm系统权限)
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
SQL> grant sysdba to scott;
Grant succeeded.
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
SCOTT TRUE FALSE FALSE
SQL> grant sysoper to scott;
Grant succeeded.
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
SCOTT TRUE TRUE FALSE
3. 控制口令文件的使用
REMOTE_LOGIN_PASSWORDFILE specifies whether Oracle checks for a password file.
Values:
shared
One or more databases can use the password file. The password file can contain SYS as well as non-SYS users.
exclusive
The password file can be used by only one database. The password file can contain SYS as well as non-SYS users.
none
Oracle ignores any password file. Therefore, privileged users must be authenticated by the operating system.
说明:当REMOTE_LOGIN_PASSWORDFILE=none时,管理员用户(具有sysdba、sysoper权限的用户)无法远程管理数据库(关闭、开启),只能通过操作系统认证,进而来管理数据库。
SQL> show parameter remote_login_passwordfile
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
此时,远程登录数据库,并关闭数据库。
SQL> conn sys/sys@demodb as sysdba
已连接。
SQL> shutdown immediate
数据库已经关闭。
已经卸载数据库。
ORACLE 例程已经关闭。
SQL>
SQL> show parameter remote_login_passwordfile
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string NONE
SQL> conn sys/sys@demodb as sysdba ERROR: ORA-01017: invalid username/password; logon denied --此时管理员已经无法远程登录数据库了。