PASSWORD_LOCK_TIME
PROFILE资源限制中有一个PASSWORD_LOCK_TIME,以前还真没有注意,这两天看安全相关的文档提到了这个资源限制参数。
从10g开始,Oracle修改了DEFAULT资源限制,设置FAILED_LOGIN_ATTEMPTS的值为10,这避免了恶意破解用户密码的可能性。
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
CORE 10.2.0.4.0 Production
TNS for Solaris: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
SQL> select * from dba_profiles;
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ------------------
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED
DEFAULT IDLE_TIME KERNEL UNLIMITED
DEFAULT CONNECT_TIME KERNEL UNLIMITED
DEFAULT PRIVATE_SGA KERNEL UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10
DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED
已选择16行。
但是同时引发了另一个问题,虽然其他用户试图通过暴力破解的方式猜测用户密码变得不可能,但是可以通过不断尝试,导致用户帐号被锁定,同样达到影响业务正常运行的目的。
在11g中,Oracle的延迟错误密码验证是解决这个问题的一个好方法,可以参考:http://yangtingkun.itpub.net/post/468/505041
同时Oracle也考虑到帐号被锁定后引发的管理问题,因此有一次修改了默认PROFILE:
SQL> select * from dba_profiles;
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- -----------------
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED
DEFAULT IDLE_TIME KERNEL UNLIMITED
DEFAULT CONNECT_TIME KERNEL UNLIMITED
DEFAULT PRIVATE_SGA KERNEL UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10
DEFAULT PASSWORD_LIFE_TIME PASSWORD 180
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT PASSWORD_LOCK_TIME PASSWORD 1
DEFAULT PASSWORD_GRACE_TIME PASSWORD 7
已选择16行。
Oracle将PASSWORD_LOCK_TIME的值设置为1,这样当输入多次密码导致帐号被锁定后,只要超过了1天后,帐号自动解锁,这样可以避免DBA手工干预引入的管理代价。
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production
SQL> alter profile default limit password_lock_time 1/24;
配置文件已更改
SQL> select * from dba_profiles;
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ------------------
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED
DEFAULT IDLE_TIME KERNEL UNLIMITED
DEFAULT CONNECT_TIME KERNEL UNLIMITED
DEFAULT PRIVATE_SGA KERNEL UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10
DEFAULT PASSWORD_LIFE_TIME PASSWORD 180
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT PASSWORD_LOCK_TIME PASSWORD .0416
DEFAULT PASSWORD_GRACE_TIME PASSWORD 7
已选择16行。
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
警告: 您不再连接到 ORACLE。
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> conn / as sysdba
已连接。
SQL> select username, account_status from dba_users where username = 'TEST';
USERNAME ACCOUNT_STATUS
------------------------------ --------------------------------
TEST LOCKED(TIMED)
SQL> SET TIME ON
06:43:36 SQL> CONN TEST/TEST
ERROR:
ORA-28000: the account is locked
警告: 您不再连接到 ORACLE。
06:43:42 SQL> CONN TEST/TEST
ERROR:
ORA-28000: the account is locked
07:02:11 SQL> CONN TEST/TEST
ERROR:
ORA-28000: the account is locked
07:17:56 SQL> CONN TEST/TEST
ERROR:
ORA-28000: the account is locked
07:25:49 SQL> CONN TEST/TEST
已连接。
07:50:59 SQL>
一旦超过PASSWORD_LOCK_TIME的时间,帐号自动解锁,但是不适用帐号被管理员手工锁定的情况。
设置一个合理的PASSWORD_LOCK_TIME的值,可以有效的降低用户被恶意锁定所带来的危害,同时避免帐号被恶意破解。
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/4227/viewspace-673255/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/4227/viewspace-673255/