ORACLE 12.2.0.1 之后 密码文件的 md5 值每次远程登录之后都会发生变化
[toc]
在一次处理 ORACLE 19.5 DG 密码错误的过程中偶然发现 DG 的密码文件在通过 sqlplus sys/paxxx@dgtns 远程登录之后,md5 值就会发生一次变化,通过搜索mos 查到如下文章:Why do the timestamp and md5 hash values of a password file change? (Doc ID 2821102.1)
出现此现象的前提条件是 :密码文件通过 orapwd 创建 并且没有使用 format 参数(默认 format=12.2),或者 format=12.2 设置为 12.2 ,会出现md5 在每次远程登录之后,就会发生变化,这是由于从 ORACLE 12.2.0.1 and later, oracle 引入了 密码限制和密码复杂度满足度的要求,同时密码文件也会记录 last login time 也就是上一次的登录时间,从而出现了密码文件的md5会发生变化。
format - use format=12 for new 12c features like SYSBACKUP, SYSDG and SYSKM support, longer identifiers, SHA2 Verifiers etc. use format=12.2 for 12.2 features like enforcing user profile (password limits and password complexity) and account status for administrative users. If not specified, format=12.2 is default (optional),
From 12.2 , orapwd enforces password complexity rules (Doc ID 2294754.1)
SOLUTION
Use strong password Provide a password which fulfills all complexity requirements.
1 | $ orapwd file=orapwd122 password=welcome1! |
Create Password File in 12c format If you don’t want to set a strong password, you can use the 12c Release 1 format using the format parameter (the default value of Format is 12.2).
1 | $ orapwd file=orapwd122 password=oracle format=12 |
Addtional infomation: - Mixed case passwords of user name / “oracle” can not set, too. - “special character” are the following characters ‘ ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] / < > , . ; ? ‘ : (space)
附:
Why do the timestamp and md5 hash values of a password file change? (Doc ID 2821102.1)
In this Document
Goal
Solution
References
APPLIES TO:
Oracle Database - Enterprise Edition - Version 12.2.0.1 and later
Information in this document applies to any platform.
GOAL
As extensively indicated here, a password file can be modified through the use of the ORAPWD tool, or by granting or revoking administrative privileges such as SYSDBA, SYSOPER, SYSBACKUP, SYSDG, or SYSKM to database users. Any of these modifications also modify the timestamp and MD5 hash values of a password file, naturally. However, what could cause these characteristics of a password file to change if neither of the previously indicated actions were performed?
SOLUTION
Considering that a password file has not been modified by the previously indicated actions, and it has not been directly manipulated from the operating system by any other means either, from Oracle database software version 12.2 an onwards, its timestamp and md5 hash values can still change if a remote connection to the database as a user granted with any of the previously indicated administrative privileges takes place, as demonstrated below:
When a local connection to the database takes place, its password file timestamp and MD5 hash values remain unchanged:
1 |
|
This is an expected behavior that works as designed. This password file modification does not signify a password nor a privilege change, but simply indicates that a remote login has been done. The feature “last login time” has been introduced in 12.2 and hence, the behavior.
PLEASE DO NOTE THAT THIS AFFECTS BOTH, PASSWORD FILES STORED IN OPERATING SYSTEM FILE SYSTEMS AND IN ASM DISKGROUPS, AS WELL AS DATA GUARD (DG) AND REAL APPLICATION CLUSTERS (RAC) DATABASES. HAVING THIS IN CONSIDERATION, KEEP IN MIND THAT A PASSWORD FILE DIFFERENCE AMONG THE MEMBERS OF A DG OR A RAC ARRAY DOES NOT NECESSARILY MEAN DE-SYNCHRONIZATION, IT COULD BE DUE TO THIS BEHAVIOR.
原文作者: liups.com
原文链接: http://liups.com/posts/fe1bd2fe/
许可协议: 知识共享署名-非商业性使用 4.0 国际许可协议