转载自：http://blog.csdn.net/leshami/article/details/5611672

 

一、密码文件

作用：主要进行DBA权限的身份认证DBA用户：具有sysdba，sysoper权限的用户被称为dba用户。默认情况下sysdba角色中存在sys用户，sysoper角色中存在system用户

 

二、Oracle的两种认证方式：

1.使用与操作系统集成的身份验证2.使用Oracle数据库的密码文件进行身份认证

 

三、密码文件的位置

Linux下的存放位置： $ORACLE_HOME/dbs/orapw$ORACLE_SID ，即：ORACLE_HOME/dbs/orapw
     
      Windows下的存放位置:$ORACLE_HOME/database/PWD%ORACLE_SID%.ora密码文件查找的顺序 ：--->orapw
      
       --->orapw--->Failure两种认证方式：类似于SQL server中的windows认证和SQL server认证决定在两个参数中1.remote_login_passwordfile = none | exclusive |shared  位于$ORACLE_HOME/dbs/spfile$ORACLE_SID.ora参数文件中none : 不使用密码文件认证exclusive :要密码文件认证，自己独占使用(默认值)shared ：要密码文件认证，不同实例dba用户可以共享密码文件   2. $ORACLE_HOME/network/admin/sqlnet.ora  SQLNET.AUTHENTICATION_SERVICES = none | all | ntf(windows)none : 表示关闭操作系统认证，只能密码认证all : 用于linux或unix平台，关闭本机密码文件认证，采用操作系统认证，但远程
       <异机>
        可以使用密码文件认证nts : 用于windows平台   不同的组合  1           2none          none      sys用户无论是本机还是远程均不可用判断当前使用的是操作系统认证还是密码认证
       
      
     

四、演示：

--1.在sqlnet.ora中追加SQLNET.AUTHENTICATION_SERVICES = none */[oracle@robinson ~]$ sqlplus / as sysdba /*登陆失败*/SQL*Plus: Release 10.2.0.1.0- Production on Fri Apr 9 10:41:28 2010Copyright (c) 1982, 2005, Oracle. All rights reserved.ERROR:ORA-01031: insufficient privilegesEnter user-name:--------------------------------------------------------------------------------[oracle@robinson ~]$ sqlplus sys/redhat as sysdba /*使用密码文件认证，登陆成功*/SQL*Plus: Release 10.2.0.1.0- Production on Fri Apr 9 10:42:35 2010Copyright (c) 1982, 2005, Oracle. All rights reserved.Connected to:Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- ProductionWith the Partitioning, OLAPand Data Mining optionsSQL> --=================================================================================--2.将SQLNET.AUTHENTICATION_SERVICES的值改为all[oracle@robinson admin]$ sqlplus / as sysdba /*采用本机认证可以登陆*/SQL*Plus: Release 10.2.0.1.0- Production on Fri Apr 9 10:46:55 2010Copyright (c) 1982, 2005, Oracle. All rights reserved.Connected to:Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- ProductionWith the Partitioning, OLAPand Data Mining optionsSQL> --------------------------------------------------------------------------------------[oracle@robinson admin]$ sqlplus sys/redhat@orclas sysdba /*使用密码文件登陆认证失败*/SQL*Plus: Release 10.2.0.1.0- Production on Fri Apr 9 10:48:35 2010Copyright (c) 1982, 2005, Oracle. All rights reserved.ERROR:ORA-12641: Authenticationservice failed to initializeEnter user-name:--注：此时可以使用远程登陆。 --使用#符号将新增的SQLNET.AUTHENTICATION_SERVICES行注释掉恢复到缺省值

五、密码文件的建立：orapwd

[oracle@robinson ~]$ orapwdUsage: orapwd file=
     
       password=
      
        entries=
       
         force=
        
           where   file - name of password file (mand), /*密码文件的名字orapw
         
          */   password - password for SYS (mand),  /*sys用户的密码*/   entries - maximum number of distinct DBA and /*可以有多少个sysdba,sysoper权限用户放到密码文件中去，去掉重复记录*/                                               /*注意entries中存放的个数但不是实际个数，这个是二进制数据*/     force - whether to overwrite existingfile (opt),/*10g新增的参数，默认值为n ,y表示允许覆盖*/OPERs (opt),  There are no spaces around the equal-to(=) character.  --修改密码：[oracle@robinson ~]$ cd $ORACLE_HOME/dbs[oracle@robinson dbs]$ ll orapworcl-rw-r----- 1 oracle oinstall 1536 Apr 7 15:50 orapworcl[oracle@robinson dbs]$ orapwd file=orapworcl password=oracle force=y[oracle@robinson dbs]$ sqlplus sys/oracle@orclas sysdbaSQL*Plus: Release 10.2.0.1.0- Production on Fri Apr 9 11:34:09 2010Copyright (c) 1982, 2005, Oracle. All rights reserved.Connected to:Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- ProductionWith the Partitioning, OLAPand Data Mining optionsSQL>   --将密码改回原来的密码[oracle@robinson dbs]$ orapwd file=orapworcl password=redhatOPW-00005:File with same name exists - pleasedelete or rename[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat force=y[oracle@robinson dbs]$ rm orapworcl  /*删除密码文件*/[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat/*重建密码文件*/--演示将entries改为，然后将多个用户设置为sysdba或sysoper[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat entries=1[oracle@robinson dbs]$ strings orapworcl]/[ZORACLE Remote Password fileINTERNALF7AC0C5E9C3C37ABE100B964899CDDDF--创建PL/SQL增加个新用户SQL> begin  2  for iin 1..20 loop  3  execute immediate'create user u'||i||' identified by u'||i||'';  4  end loop;  5  end;  6  /--将新用户赋予sysdba角色PL/SQL procedure successfully completed.SQL> begin  2  for iin 1..20 loop  3  execute immediate'grant sysdba to u'||i||'';  4  end loop;  5  end;  6  /begin  /*得到和密码文件相关的错误提示*/*ERROR at line 1:ORA-01996:GRANT failed: passwordfile '' is fullORA-06512: at line 3--再次查看orapworcl发现多出了行，即当设置为的时候多出了个用户。原因是该密码文件是二进制文件，按矩阵计算可存放多少[oracle@robinson dbs]$ strings orapworcl]/[ZORACLE Remote Password fileINTERNALF7AC0C5E9C3C37ABE100B964899CDDDF3E81B724A296E296668509DF9DD36B439CE6AF1E3F609FFC7E19965085C9ED47--注意不要轻易删掉密码文件，这样会将其他账户的信息也删除
         
        
       
      
     

六、导致密码文件内容修改的几种方式：

1.使用orapwd建立，修改密码文件，不建议使用2.使用alter user sys identified by <>3.使用grant sysdba to <>或grant sysoper to <>或revoke sysdba |sysoper from <>

七、查看密码文件内容

[oracle@robinson dbs]$ strings orapworcl]/[ZORACLE Remote Password fileINTERNALF7AC0C5E9C3C37ABE100B964899CDDDF--当sys密码不记得可以使用OS系统身份认证登陆到sqlplus,再使用alter user修改密码SQL> alteruser sys identified by oracle;User altered--再次查看密码文件与上一次对比，已经发生变化SQL> ho strings orapworcl]/[ZORACLE Remote Password fileINTERNALAB27B53EDC5FEF418A8F025737A9097A--通过授予权限来修改密码，密码文件中多出了scott的信息SQL> grant sysdbato scott;Grant succeeded.SQL> ho strings orapworcl]/[ZORACLE Remote Password fileINTERNALAB27B53EDC5FEF418A8F025737A9097ASCOTTF894844C34402B67--注意此处中登陆后，显示的账户信息还是sys,而不是scott,但此时的scott已经具备了sys权限[oracle@robinson dbs]$ sqlplus scott/tiger@orclas sysdbaSQL*Plus: Release 10.2.0.1.0- Production on Fri Apr 9 11:56:09 2010Copyright (c) 1982, 2005, Oracle. All rights reserved.Connected to:Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- ProductionWith the Partitioning, OLAPand Data Mining optionsSQL> show userUSER is "SYS"

八、sysdba与sysoper的区别:

SQL> select* from system_privilege_mapwhere name like '%SYS%'; PRIVILEGE NAME                                      PROPERTY---------- ---------------------------------------- ----------       -3 ALTER SYSTEM                                     0       -4 AUDIT SYSTEM                                     0      -83 SYSDBA                                           0      -84 SYSOPER                                          0      --下面的链接是两者不同的权限说明    http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#sthref137The manner in which you are authorized to use these privileges depends upon the methodof authentication that you use.When you connect with SYSDBA or SYSOPER privileges, you connectwith a default schema, not with theschema that is generally associatedwith your username.For SYSDBA this schemais SYS; for SYSOPER the schema is PUBLIC.--两者的schema不同SQL> show userUSER is "SYS"SQL> conn /as sysoperConnected.SQL> show userUSER is "PUBLIC"--查看密码文件视图，可以得到哪些用户为sysdba,哪些用户为sysoperSQL> select* from v$pwfile_users;USERNAME                       SYSDB SYSOP------------------------------ ----- -----SYS                            TRUE  TRUESCOTT                          TRUE  FALSEUSER1                          FALSE TRUE--下面演示了使用不同的角色来登陆SQL> conn scott/tiger@orclas sysdbaConnected.SQL> conn scott/tiger@orclas sysoper  /*scott的sysop列为false*/ERROR:ORA-01031: insufficient privilegesWarning: You are no longer connected to ORACLE.SQL> conn user1/user1@orclas sysdbaERROR:ORA-01031: insufficient privilegesSQL> conn user1/user1as sysoperConnected.