某Q友问题--我抛砖引玉 问个简单问题 我不知道listener密码 没有root用户权限 listener.pdf
前言
数据库监听起着承上启下作用,用于联结源自应用系统的会话连接至数据库服务器,它是一个特殊的进程,所以对于它的管理,必须强化其安全性,不然安全危害极大。
测试结论
1,ORACLE11G中,监听启用默认的操作系统认证,即仅具备监听器所需权限的用户可以管理监听器
2,在listener.ora文件中添加条目LOCAL_OS_AUTHENTICATION_LISTENER=OFF,以禁用本地操作系统认证
否则即便在lsnrctl监听器命令提示下配置密码,密码仍不会生效
3,通过lsnrctl监听器命令提示下set password输入密码即可对监听器进行相应各种操作
4,如何不知道监听器密码,可以通过locate listener.ora找出监听器配置文件大致文件,同时结合所处操作系统用户即可大致
监听器文件所在目录
5,关于监听器相关官方手册在Oracle? Database Net Services Administrator's Guide及Oracle? Database Net Services Reference
6,再次强调,一定要学会查看官方手册
测试明细
1,未设置监听器密码前,可以查看监听器状态
[oracle@seconary ~]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 15-JUN-2015 00:56:15
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.0.3)(PORT=1981)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date 15-JUN-2015 00:55:10
Uptime 0 days 0 hr. 1 min. 4 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/product/11.2.0/db_1/network/admin/listener.ora
Listener Log File /oracle/diag/tnslsnr/seconary/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.0.3)(PORT=1981)))
Services Summary...
Service "second" has 1 instance(s).
Instance "second", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
2,配置监听器密码
[oracle@seconary ~]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 15-JUN-2015 00:57:18
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
查看监听器相关命令
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start stop status
services version reload
save_config trace spawn
change_password quit exit
set* show*
查看如何改变监听器密码
LSNRCTL> help change_password
change_password []: changes the password of the listener
查看SET命令相关参数
LSNRCTL> set
The following operations are available after set
An asterisk (*) denotes a modifier or extended command:
password rawmode
displaymode trc_file
trc_directory trc_level
log_file log_directory
log_status current_listener
inbound_connect_timeout startup_waittime
save_config_on_stop dynamic_registration
enable_global_dynamic_endpoint
当前监听器
LSNRCTL> set current_listener
Current Listener is LISTENER
配置监听器密码
LSNRCTL> set password
Password:
The command completed successfully
保存配置
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.0.3)(PORT=1981)))
Saved LISTENER configuration parameters.
Listener Parameter File /oracle/product/11.2.0/db_1/network/admin/listener.ora
Old Parameter File /oracle/product/11.2.0/db_1/network/admin/listener.bak
The command completed successfully
配置密码后仍然可以显示监听器状态,说明监听密码没生效
[oracle@seconary ~]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 15-JUN-2015 01:06:16
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.0.3)(PORT=1981)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date 15-JUN-2015 01:02:21
Uptime 0 days 0 hr. 3 min. 55 sec
Trace Level off
Security ON: Password or Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/product/11.2.0/db_1/network/admin/listener.ora
Listener Log File /oracle/diag/tnslsnr/seconary/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.0.3)(PORT=1981)))
Services Summary...
Service "second" has 1 instance(s).
Instance "second", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
在监听器中添加如下记录,仍不能生效
[oracle@seconary ~]$ more /oracle/product/11.2.0/db_1/network/admin/listener.ora
ADMIN_RESTRICTIONS_listener=on
经查询官方手册 Oracle? Database Net Services Administrator's Guide
11g Release 2 (11.2),
从ORACLE11G开始,监听器密码特征已经弃用,因为数据库服务器通过本地操作系统认证,这样就会暴露出安全问题。
从监听器命令中也可以看出来
Security ON: Password or Local OS Authentication
我们关闭本地操作系统认证,即可实现监听器密码认证生效
[oracle@seconary admin]$ more listener.ora
# listener.ora Network Configuration File: /oracle/product/11.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = second)
(ORACLE_HOME = /oracle/product/11.2.0/db_1)
(SID_NAME = second)
)
)
LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 10.0.0.3)(PORT = 1981))
)
ADR_BASE_LISTENER = /oracle
#----ADDED BY TNSLSNR 15-JUN-2015 01:01:22---
PASSWORDS_LISTENER = 76CC275A9805B912
#--------------------------------------------
LOCAL_OS_AUTHENTICATION_LISTENER=OFF
ADMIN_RESTRICTIONS_listener=on
[oracle@seconary admin]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 15-JUN-2015 07:15:23
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.0.3)(PORT=1981)))
TNS-01169: The listener has not recognized the password
[oracle@seconary admin]$ lsnrctl stop
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 15-JUN-2015 07:15:40
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.0.3)(PORT=1981)))
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.0.3)(PORT=1981)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date 15-JUN-2015 07:13:57
Uptime 0 days 0 hr. 3 min. 22 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File /oracle/product/11.2.0/db_1/network/admin/listener.ora
Listener Log File /oracle/diag/tnslsnr/seconary/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.0.3)(PORT=1981)))
Services Summary...
Service "second" has 1 instance(s).
Instance "second", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully