Oracle密码管理（Password Management使用utlpwdmg.sql）

maoj2008 发表于 2011-12-22 08:54

<div id="blog_text" class="cnt">使用脚本utlpwdmg.sql可以方便地启动数据库的密码管理。该脚本位于$ORACLE_HOME/rdbms/admin目录下。
启动密码管理以前：
SQL> select * from v$version; 
BANNER 
---------------------------------------------------------------- 
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod 
PL/SQL Release 10.2.0.1.0 - Production 
CORE   10.2.0.1.0     Production 
TNS for Linux: Version 10.2.0.1.0 - Production 
NLSRTL Version 10.2.0.1.0 - Production
SQL> select * from dba_profiles where resource_type='PASSWORD'; 
PROFILE                       RESOURCE_NAME                   RESOURCE LIMIT 
------------------------------ -------------------------------- -------- ---------------------------------------- 
DEFAULT                       FAILED_LOGIN_ATTEMPTS           PASSWORD 10 
DEFAULT                       PASSWORD_LIFE_TIME              PASSWORD UNLIMITED 
DEFAULT                       PASSWORD_REUSE_TIME             PASSWORD UNLIMITED 
DEFAULT                       PASSWORD_REUSE_MAX              PASSWORD UNLIMITED 
DEFAULT                       PASSWORD_VERIFY_FUNCTION        PASSWORD NULL 
DEFAULT                       PASSWORD_LOCK_TIME              PASSWORD UNLIMITED 
DEFAULT                       PASSWORD_GRACE_TIME             PASSWORD UNLIMITED
启用密码管理：
SQL> @?/rdbms/admin/utlpwdmg.sql
Function created
Profile altered
启动后：
SQL> select * from dba_profiles where resource_type='PASSWORD';
PROFILE                       RESOURCE_NAME                   RESOURCE LIMIT 
------------------------------ -------------------------------- -------- ---------------------------------------- 
DEFAULT                       FAILED_LOGIN_ATTEMPTS           PASSWORD 3 
DEFAULT                       PASSWORD_LIFE_TIME              PASSWORD 90 
DEFAULT                       PASSWORD_REUSE_TIME             PASSWORD 1800 
DEFAULT                       PASSWORD_REUSE_MAX              PASSWORD UNLIMITED 
DEFAULT                       PASSWORD_VERIFY_FUNCTION        PASSWORD VERIFY_FUNCTION 
DEFAULT                       PASSWORD_LOCK_TIME              PASSWORD .0006 
DEFAULT                       PASSWORD_GRACE_TIME             PASSWORD 10 

如果新设定的密码不符合复杂性检验规则，就会报错。例如：
SQL> alter user lh identified by lh;
alter user lh identified by lh
ORA-28003: password verification for the specified password failed 
ORA-20001: Password same as or similar to user
取消密码管理： 
 
SQL>alter profile DEFAULT limit <password_parameter> unlimited; 
如： 
SQL>alter profile DEFAULT limit password_reuse_time unlimited; 
 
停止密码检验函数： 
 
SQL>alter profile DEFAULT limit password_verify_function null;
熟悉utlpwdmg.sql脚本有助我们更深入了解oracle密码检查机制。我们可以修改或自定义密码检验函数。
附utlpwdmg.sql脚本内容（红色自己是我修改的）：
Rem 
Rem $Header: utlpwdmg.sql 31-aug-2000.11:00:47 nireland Exp $ 
Rem 
Rem utlpwdmg.sql 
Rem 
Rem Copyright (c) Oracle Corporation 1996, 2000. All Rights Reserved. 
Rem 
Rem   NAME 
Rem     utlpwdmg.sql - script for Default Password Resource Limits 
Rem 
Rem   DESCRIPTION 
Rem     This is a script for enabling the password management features 
Rem     by setting the default password resource limits. 
Rem 
Rem   NOTES 
Rem     This file contains a function for minimum checking of password 
Rem     complexity. This is more of a sample function that the customer 
Rem     can use to develop the function for actual complexity checks that the 
Rem     customer wants to make on the new password. 
Rem 
Rem   MODIFIED  (MM/DD/YY) 
Rem   nireland   08/31/00 - Improve check for username=password. #1390553 
Rem   nireland   06/28/00 - Fix null old password test. #1341892 
Rem   asurpur    04/17/97 - Fix for bug479763 
Rem   asurpur    12/12/96 - Changing the name of password_verify_function 
Rem   asurpur    05/30/96 - New script for default password management 
Rem   asurpur    05/30/96 - Created 
Rem
-- This script sets the default password resource parameters 
-- This script needs to be run to enable the password features. 
-- However the default resource parameters can be changed based 
-- on the need. 
-- A default password complexity function is also provided. 
-- This function makes the minimum complexity checks like 
-- the minimum length of the password, password not same as the 
-- username, etc. The user may enhance this function according to 
-- the need. 
-- This function must be created in SYS schema. 
-- connect sys/<password> as sysdba before running the script
CREATE OR REPLACE FUNCTION verify_function 
(username varchar2, 
password varchar2, 
old_password varchar2) 
RETURN boolean IS 
  n boolean; 
  m integer; 
  differ integer; 
  isdigit boolean; 
  ischar boolean; 
  ispunct boolean; 
  digitarray varchar2(20); 
  punctarray varchar2(25); 
  chararray varchar2(52);
BEGIN 
  digitarray:= '0123456789'; 
  chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; 
  punctarray:='!"#$%&()``*+,-/:;<=>?_';
  -- Check if the password is same as the username 
  IF NLS_LOWER(password) = NLS_LOWER(username) THEN 
    raise_application_error(-20001, 'Password same as or similar to user'); 
  END IF; 
     
  -- Check for the minimum length of the password 
  -- wangnc modified,2008-9-25 15:11:30,change 4 to 16. 
  IF length(password) < 16 THEN 
     raise_application_error(-20002, 'Password length less than 16'); 
  END IF;
  -- Check if the password is too simple. A dictionary of words may be 
  -- maintained and a check may be made so as not to allow the words 
  -- that are too simple for the password. 
  -- wangnc modified,2008-9-25 15:12:17,add 'dba', 'manager', 'tiger' 
  IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd', 
     'dba', 'manager', 'tiger') THEN 
     raise_application_error(-20002, 'Password too simple'); 
  END IF;
  -- Check if the password contains at least one letter, one digit and one 
  -- punctuation mark. 
  -- 1. Check for the digit 
  isdigit:=FALSE; 
  m := length(password); 
  FOR i IN 1..10 LOOP 
     FOR j IN 1..m LOOP 
        IF substr(password,j,1) = substr(digitarray,i,1) THEN 
           isdigit:=TRUE; 
            GOTO findchar; 
        END IF; 
     END LOOP; 
  END LOOP; 
  IF isdigit = FALSE THEN 
     raise_application_error(-20003, 'Password should contain at least one digit, one character and one punctuation'); 
  END IF; 
  -- 2. Check for the character 
  <<findchar>> 
  ischar:=FALSE; 
  FOR i IN 1..length(chararray) LOOP 
     FOR j IN 1..m LOOP 
        IF substr(password,j,1) = substr(chararray,i,1) THEN 
           ischar:=TRUE; 
            GOTO findpunct; 
        END IF; 
     END LOOP; 
  END LOOP; 
  IF ischar = FALSE THEN 
     raise_application_error(-20003, 'Password should contain at least one \ 
             digit, one character and one punctuation'); 
  END IF; 
  -- 3. Check for the punctuation 
  <<findpunct>> 
  ispunct:=FALSE; 
  FOR i IN 1..length(punctarray) LOOP 
     FOR j IN 1..m LOOP 
        IF substr(password,j,1) = substr(punctarray,i,1) THEN 
           ispunct:=TRUE; 
            GOTO endsearch; 
        END IF; 
     END LOOP; 
  END LOOP; 
  IF ispunct = FALSE THEN 
     raise_application_error(-20003, 'Password should contain at least one \ 
             digit, one character and one punctuation'); 
  END IF;
  <<endsearch>> 
  -- Check if the password differs from the previous password by at least 
  -- 3 letters 
  IF old_password IS NOT NULL THEN 
    differ := length(old_password) - length(password);
    IF abs(differ) < 3 THEN 
      IF length(password) < length(old_password) THEN 
        m := length(password); 
      ELSE 
        m := length(old_password); 
      END IF;
      differ := abs(differ); 
      FOR i IN 1..m LOOP 
        IF substr(password,i,1) != substr(old_password,i,1) THEN 
          differ := differ + 1; 
        END IF; 
      END LOOP;
      IF differ < 3 THEN 
        raise_application_error(-20004, 'Password should differ by at \ 
        least 3 characters'); 
      END IF; 
    END IF; 
  END IF; 
  -- Everything is fine; return TRUE ; 
  RETURN(TRUE); 
END; 
/
 
-- This script alters the default parameters for Password Management 
-- This means that all the users on the system have Password Management 
-- enabled and set to the following values unless another profile is 
-- created with parameter values set to different value or UNLIMITED 
-- is created and assigned to the user.
/* 
PASSWORD_LIFE_TIME 90 --用于指定口令有效期 
PASSWORD_GRACE_TIME 10 --用于指定口令宽限期(为了强制用户定期改变口令,以上二者必须同时设置.) 
PASSWORD_REUSE_TIME 1800 --用于指定口令可重用时间. 
PASSWORD_REUSE_MAX UNLIMITED --用于指定在重用口令之前口令需要改变的次数.(需要主要,使用口令历史选项时,只能使用以上两种其中的一个选项.并将另一个选项设置为UNLIMITED.) 
FAILED_LOGIN_ATTEMPTS 3 --用于指定连续登陆的最大失败次数. 
PASSWORD_LOCK_TIME 1/1440 --用于指定帐户被锁定的天数. 
PASSWORD_VERIFY_FUNCTION verify_function; --如果要禁用口令校验函数,可以将PASSWORD_VERIFY_FUNCTION选项设置为NULL. 
*/
ALTER PROFILE DEFAULT LIMIT 
PASSWORD_LIFE_TIME 90 
PASSWORD_GRACE_TIME 10 
PASSWORD_REUSE_TIME 1800 
PASSWORD_REUSE_MAX UNLIMITED 
FAILED_LOGIN_ATTEMPTS 3 
PASSWORD_LOCK_TIME 1/1440 
PASSWORD_VERIFY_FUNCTION verify_function; 
 
--End-- ------------<h2>What is Profile </h2>
A profile is a database object - a named set of resource limits to:

<ul><li> Restrict database usage by a system user – profiles restrict
users from performing operations that exceed reasonable resource
utilization.Examples of resources that need to be managed:
</li></ul>
<ul><li><ul><li> Disk storage space.
</li><li> I/O bandwidth to run queries.
</li><li> CPU power.
</li><li> Connect time.
</li></ul>
</li></ul>
<ul><li> Enforce password practices – how user passwords are created, reused, and validated.
</li></ul>
<ul><li> Profiles are assigned to users as part of the CREATE USER or ALTER USER commands.
</li></ul>
<ul><li><ul><li> User accounts can have only a single profile.
</li><li> A default profile can be created – a default already exists
within Oracle named DEFAULT – it is applied to any user not assigned
another profile.
</li><li> Assigning a new profile to a user account supersedes any earlier profile.
</li><li> Profiles cannot be assigned to roles or other profiles.
</li></ul>
</li></ul>
Here are some system privileges for PROFILE.

<ul><li><ul><li> alter profile
</li><li> create profile
</li><li> drop profile
</li></ul>
</li></ul>
<a name="Benefits_of_Profile"></a><h2> Benefits of Profile </h2>
You can enforce a limit on resource utilization using resource limit parameters
Also you can maintain database secutiry by using password management feature

<a name="Resource___Parameters"></a><h2>Resource Parameters </h2>
• SESSIONS_PER_USER
Specify the number of concurrent sessions to which you want to limit the user.
• CPU_PER_SESSION
Specify the CPU time limit for a session, expressed in hundredth of seconds.
• CPU_PER_CALL
Specify the CPU time limit for a call (a parse, execute, or fetch), expressed in hundredths of seconds.
• CONNECT_TIME
Specify the total elapsed time limit for a session, expressed in minutes.
• IDLE_TIME
Specify the permitted periods of continuous inactive time during a
session, expressed in minutes. Long-running queries and other
operations are not subject to this limit.
• LOGICAL_READS_PER_SESSION
Specify the permitted number of data blocks read in a session, including blocks read from memory and disk.
• LOGICAL_READS_PER_CALL
Specify the permitted the number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch).
• PRIVATE_SGA
Specify the amount of private space a session can allocate in the
shared pool of the system global area (SGA), expressed in bytes.
• COMPOSITE_LIMIT
Specify the total resource cost for a session, expressed in
service units. Oracle Database calculates the total service units as a
weighted sum of CPU_PER_SESSION, CONNECT_TIME,
LOGICAL_READS_PER_SESSION, and PRIVATE_SGA.

<a name="Creating____Profile"></a><h2> Creating Profile </h2>
Profiles only take effect when resource limits are "turned on" for the database as a whole.
• Specify the RESOURCE_LIMIT initialization parameter.
RESOURCE_LIMIT = TRUE
Let check the parameter value.

<pre>SQL> show parameter resource_limit NAME TYPE VALUE ------------------------------------ ----------- --------- resource_limit boolean FALSE </pre>
Its mean resource limit is off,we ist have to enable it.
• Use the ALTER SYSTEM statement to turn on resource limits.

<pre>SQL> ALTER SYSTEM SET RESOURCE_LIMIT = TRUE; System altered. SQL> show parameter resource_limit NAME TYPE VALUE ------------------------------------ ----------- --------- resource_limit boolean TRUE </pre>
• Resource limit specifications pertaining to passwords are always in effect.
Now I'm going to create a profile with the name my_profile.

<pre>SQL> CREATE PROFILE my_profile LIMIT SESSIONS_PER_USER 2 IDLE_TIME 5 CONNECT_TIME 10; </pre>
Profile created.
 
In the above example i created simple profile which will handle

<pre>SESSIONS_PER_USER<<<I'm able to open 2 sessions concurrent IDLE_TIME <<<My session will be terminate automatically after the time specified for this parameter. CONNECT_TIME <<<It will keep me onlineuntil the value of this parameter. </pre>
 
NOTE:
Both parameters take values in min.
Now I'm creating a test user to check the functionality of this profile.

<pre>SQL> create user Michel identified by michel default tablespace users temporary tablespace temp; User created. </pre>
 

<pre>SQL> alter user Michel profile my_profile; User altered. </pre>
With the above statement i assigned the profile my_profile to user Michel.
Let see how our profile will work.
I already opened 2 sessions with the user name Michel but when i tried for third session it thorwed this error.

<pre>sqlplus Michel SQL*Plus: Release 11.1.0.6.0 - Production on Mon Nov 26 15:57:23 2007 Copyright (c) 1982, 2007, Oracle.All rights reserved. Enter password: ERROR: ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit </pre>

You noticed when i tried to open third session it gave me error.
Lets go to 2nd step IDLE_TIME.Here we go again

<pre>SQL> select * from tab; select * from tab * ERROR at line 1: ORA-02396: exceeded maximum idle time, please connect again </pre>
Because i was idle more than 5 min so thats why Oracle server kill mine session.
We can check the resource parameter of our profile by querying DBA_PROFILES.

<pre>SQL> select * from dba_profiles where profile='MY_PROFILE'; PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ -------------------------------- -------- ------ --------------------------------- MY_PROFILE COMPOSITE_LIMIT KERNEL DEFAUL MY_PROFILE SESSIONS_PER_USER KERNEL 2 MY_PROFILE IDLE_TIME KERNEL 5 MY_PROFILE CONNECT_TIME KERNEL 10 . . . </pre>
<a name="Assigning___Profile"></a><h2>Assigning Profile </h2>
Profile can be assign in two ways either during USER creation or by using ALTER statement.
Case 1:

<pre>SQL> create user orafaq identified by pass profile my_profile; User created. </pre>
We can check it by using this query.

<pre>SQL> select username,profile from dba_users where username='ORAFAQ'; </pre>
<pre>USERNAME PROFILE ------------------------------ -------------- ORAFAQ MY_PROFILE </pre>
CASE 2:

<pre>SQL> drop user orafaq cascade; User dropped. SQL> create user orafaq identified by pass; User created. SQL> alter user orafaq profile my_profile; User altered. </pre>
<a name="Altering____Profile"></a><h2> Altering Profile </h2>
Profiles can be altered with the ALTER PROFILE command.
• A DBA must have the ALTER PROFILE system privilege to use this
command.
• When a profile limit is adjusted, the new setting overrides the
previous setting for the limit, but these changes do not affect current
sessions in process.See the example below
 
SQL> ALTER PROFILE accountant LIMIT
CPU_PER_CALL default
LOGICAL_READS_PER_SESSION 20000
SESSIONS_PER_USER 1;

<a name="Dropping____Profile"></a><h2> Dropping Profile </h2>
Profiles no longer required can be dropped with the DROP PROFILE
command.
• The DEFAULT profile cannot be dropped.
• The CASCADE clause revokes the profile from any user account to which
it was assigned – the CASCADE clause MUST BE USED if the profile has
been assigned to any user account.
• When a profile is dropped, any user account with that profile is
reassigned the DEFAULT profile. See examples below:
SQL> DROP PROFILE accountant;
ERROR at line 1:
ORA-02382: profile ACCOUNTANT has users assigned, cannot drop without CASCADE
SQL> DROP PROFILE accountant CASCADE;
 
SQL> SELECT username, profile FROM dba_users
WHERE username = 'DBUSER1';
• Changes that result from dropping a profile only apply to sessions
that are created after the change – current sessions are not modified.
</div>

页: [1]

Chinaunix's Archiver

Oracle密码管理（Password Management使用utlpwdmg.sql）