Oracle教程之管理安全和资源（二）--使用Oracle Profile管理口令

1、账户锁定FAILED_LOGIN_ATTEMPTS：用于指定连续登录的最大失败次数。PASSWORD_LOCK_TIME：用于指定账户被锁定的天数。03:34:13 SQL> create profile lock_account limit03:36:51 2 failed_login_attempts 303:37:07 3 password_lock_time 10;Profile created.02:56:45 SQL> select profile ,resource_name ,limit from dba_profiles02:57:20 2 where profile='LOCK_ACCOUNT';PROFILE RESOURCE_NAME LIMIT------------------------------ -------------------------------- ----------------------------------------LOCK_ACCOUNT COMPOSITE_LIMIT DEFAULTLOCK_ACCOUNT SESSIONS_PER_USER DEFAULTLOCK_ACCOUNT CPU_PER_SESSION DEFAULTLOCK_ACCOUNT CPU_PER_CALL DEFAULTLOCK_ACCOUNT LOGICAL_READS_PER_SESSION DEFAULTLOCK_ACCOUNT LOGICAL_READS_PER_CALL DEFAULTLOCK_ACCOUNT IDLE_TIME DEFAULTLOCK_ACCOUNT CONNECT_TIME DEFAULTLOCK_ACCOUNT PRIVATE_SGA DEFAULTLOCK_ACCOUNT FAILED_LOGIN_ATTEMPTS 3LOCK_ACCOUNT PASSWORD_LIFE_TIME DEFAULTLOCK_ACCOUNT PASSWORD_REUSE_TIME DEFAULTLOCK_ACCOUNT PASSWORD_REUSE_MAX DEFAULTLOCK_ACCOUNT PASSWORD_VERIFY_FUNCTION DEFAULTLOCK_ACCOUNT PASSWORD_LOCK_TIME .0006LOCK_ACCOUNT PASSWORD_GRACE_TIME DEFAULT16 rows selected.03:38:02 SQL> create user test identified by test;User created.03:38:11 SQL> alter user test profile lock_account;User altered02:59:09 SQL> SELECT USERNAME,PROFILE FROM DBA_USERS02:59:18 2 WHERE USERNAME='TEST';USERNAME PROFILE------------------------------ ------------------------------TEST LOCK_ACCOUNT03:38:31 SQL> select username,account_status from dba_users03:39:23 2 where username='TEST';USERNAME ACCOUNT_STATUS------------------------------ --------------------------------TEST OPEN03:40:00 SQL> CONN test/123ERROR:ORA-01017: invalid username/password; logon deniedWarning: You are no longer connected to ORACLE.03:40:03 SQL> CONN test/123ERROR:ORA-01017: invalid username/password; logon denied03:40:06 SQL> CONN test/123ERROR:ORA-01017: invalid username/password; logon denied03:40:07 SQL> CONN test/123ERROR:ORA-28000: the account is locked03:40:23 SQL> conn /as sysdbaConnected.03:40:32 SQL> select username,account_status from dba_users03:40:34 2 where username='TEST';USERNAME ACCOUNT_STATUS------------------------------ --------------------------------TEST LOCKED(TIMED)test账号3次密码输入错误被锁，10天后oracle自动解锁手工解锁：03:41:55 SQL> alter user test account unlock;User altered.03:41:57 SQL> select username,account_status from dba_users03:41:59 2 where username='TEST';USERNAME ACCOUNT_STATUS------------------------------ --------------------------------TEST OPEN2、口令的有效期和终止期PASSWORD_LIFE_TIME：用于指定口令有效期（单位：天）。PASSWORD_GRACE_TIME：用于指定口令宽限期（单位：天）。03:42:01 SQL> create profile password_life_time limit03:45:09 2 password_life_time 1003:45:19 3 password_grace_time 2;Profile created03:45:32 SQL> alter user test profile password_life_time;User altered.03:47:24 SQL> grant connect ,create session to test;Grant succeeded.03:47:26 SQL> conn test/test;当建立了password_life_time，并将该PROFILE分配给用户DEVEP后，如果用户DEVEP在10天之内没有改变口令，那么在第10天登录时，会显示如下警告信息：Sqlplus devep/admin@testERROR:ORA-28002:the password will expire within 2 daysConnected.如果第10天没有改变口令，那么在第11天、第12天登录时，仍然会显示类似的警告信息。如果第12仍然没有改变口令，那么当第13天登录时，oracle会强制你改变口令，否则不允许登录，并显示如下信息：Sqlplus devep/admin@testERROR:ORA-28001:the password has expriedChanging password for devepNew password：3、口令历史PASSWORD_REUSE_TIME：用于指定口令可重用时间（单位：天）。PASSWORD_REUSE_MAX：用于指定在重用口令之前口令需要改变的次数。03:51:24 SQL> conn /as sysdbaConnected.03:51:32 SQL> create profile password_history limit03:51:34 2 password_life_time 10 password_grace_time 203:51:38 3 password_reuse_time 10 password_reuse_max unlimited;Profile created.03:52:14 SQL> alter user test profile password_history;User altered.当将password_history 分配给DEVEP后，如果前12天没有修改用户口令，那么当第13天登录时，oracle会强制你改变口令。如果仍然使用过去的口令，则口令修改不能成功，并且显示如下错误信息：Sqlplus devep/admin@testERROR:ORA-28001:the password has expriedChanging password for devepNew password：Retype new password：ERROR:ORA-28007：the password cannot be reused.4、口令复杂性校验（1）使用系统口令校验函数VERIFY_FUNCTION安装oracle数据库产品时，oracle提供了sql脚本UTLPWDMG.SQL，该脚本用于建立系统口令校验函数VERIFY_FUNCTION，并且该口令校验函数实现了一下口令规则：口令不能少于4个字符。口令不能与用户名相同。口令至少包含一个字符、一个数字和一个特殊符号（$、_、#、! 等）。03:57:13 SQL> @$ORACLE_HOME/rdbms/admin/utlpwdmg.sqlFunction created.Profile altered.验证:03:57:16 SQL> create user aa identified by aa;create user aa identified by aa*ERROR at line 1:ORA-28003: password verification for the specified password failedORA-20001: Password same as or similar to user03:58:12 SQL> create user aa identified by bb;create user aa identified by bb*ERROR at line 1:ORA-28003: password verification for the specified password failedORA-20002: Password length less than 4（2）建立自定义函数Create or replace function password_function ….函数建立过程略。建立了口令校验函数password_function 后，为了使用该口令校验函数，需要修改 password_verify_function 选项。示例如下：04:12:57 SQL> alter profile default limit04:13:10 2 password_verify_function password_function ;（3）禁用口令校验函数如果要禁用口令校验函数，可以将password_verify_function 选项设置为NULL，示例如下：04:12:34 SQL> alter profile password_history limit04:12:39 2 password_verify_function null;Profile altered.04:12:46 SQL> create user aa identified by aa;create user aa identified by aa*ERROR at line 1:ORA-28003: password verification for the specified password failedORA-20001: Password same as or similar to user04:12:57 SQL> alter profile default limit04:13:10 2 password_verify_function null;Profile altered.04:13:14 SQL> create user aa identified by aa;User created.04:13:16 SQL> drop user aa cascade;User dropped.5、删除profile09:43:30 SQL> drop profile pass_profile ;drop profile pass_profile*ERROR at line 1:ORA-02382: profile PASS_PROFILE has users assigned, cannot drop without CASCADE09:43:48 SQL> drop profile pass_profile cascade;Profile dropped.09:43:56 SQL>--user 的profile 变成default profile
更多更全的oracle视频教程请访问：http://crm2.qq.com/page/portalpage/wpa.php?uin=800060152&f=1&ty=1&aty=0&a=&from=6