OS验证和禁用远程sysdba的矛盾问题

miloluo

各位好，
想请教个问题。目前遇到的问题是客户既想要禁用os验证，也要禁用远程以dba身份登录。
那么，通常的做法是：

禁用os验证：
在sqlnet.ora里，加入或修改参数为

1. SQLNET.AUTHENTICATION_SERVICES=NONE

复制代码

禁用远程sysdba：
在参数文件中修改：

1. REMOTE_LOGIN_PASSWORDFILE=NONE

复制代码

那么如果是二者都设置的话，登录sysdba用户，启动数据库时回报权限不足的错误：

1. [oracle@virt1 ~]$ sqlplus sys/oracle as sysdba
   
2. 
   
3. SQL*Plus: Release 10.2.0.5.0 - Production on Tue Jun 19 20:05:21 2012
   
4. 
   
5. Copyright (c) 1982, 2010, Oracle.  All Rights Reserved.
   
6. 
   
7. Connected to an idle instance.
   
8. 
   
9. SQL> startup
   
10. ORA-01031: insufficient privileges
    
11. 
    
12. SQL> show user ;
    
13. USER is "SYS"

复制代码

如果使用oracle的wallet方式，用户也不接受，因为只要搞定os用户，搞定tns也能搞定相应用户的登录问题。

想请教各位有没什么好的办法。

另外，还有一个问题：
PS：听说listener的加密在10g及其以后版本已经不建议使用，那么10g之前使用它的backgroup是什么？

谢谢。

Maclean Liu(刘相兵

SQLNET.AUTHENTICATION_SERVICES=NONE+ REMOTE_LOGIN_PASSWORDFILE=NONE = NO SYSDBA LOGON

NO SYSDBA  LOGON是不现实的

10g以后 listener password即监听密码不起作用

Password Not Required When Administering 10g or Newer Listeners Using Lsnrctl Utility

Applies to:
Oracle Net Services - Version: 10.1.0.2.0 to 11.2.0.1   [Release: 10.1 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 10-APR-2008.
Symptoms
After setting a password for the 10g or newer listener, the lsnrctl utility doesn't require a password for stopping or issuing privileged commands.
Changes
A password has been configured in the listener.
Cause

This is a known feature that was introduced with 10gR1 and is included in all newer versions of the listener — the "Local OS Authentication" feature, which is activated by default:
$ lsnrctl status

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 08-JUN-2006 17:41:40

Copyright (c) 1991, 2005, Oracle. All rights reserved.



Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 30-MAY-2006 19:47:09
Uptime 8 days 21 hr. 54 min. 31 sec
Trace Level off
Security ON: Password or Local OS Authentication
SNMP OFF


The "Local OS Authentication" feature permits the user who started the listener to administer it without providing a password even when a password is set.
Solution

It is possible to disable the Local OS Authentication and use the password feature if necessary.

To disable the "Local OS Authentication" feature follow the procedure outlined below:
1.  Stop the listener.
2.  Add the following parameter in the listener.ora file and save it (replace <listener_name> with your listener service name, use LISTENER for the default listener):
LOCAL_OS_AUTHENTICATION_<listener_name> = OFF
3.  Restart the listener



Once this is done, only password authentication is enabled for administering the listener or usage of privileged commands in LSNRCTL utility:

    $ lsnrctl status

    LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 08-JUN-2006 17:41:40

    Copyright (c) 1991, 2005, Oracle. All rights reserved.

    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
    STATUS of the LISTENER
    ------------------------
    Alias             LISTENER
    Version           TNSLSNR for Linux: Version 10.2.0.1.0 - Production
    Start Date        30-MAY-2006 19:47:09
    Uptime            8 days 21 hr. 54 min. 40 sec
    Trace Level       off
    Security          ON: Password
    SNMP              OFF

    Note the Security setting is "ON:  Password" versus "Password or Local OS Authentication" as shown in the previous lsnrctl status output.

miloluo

感谢Maclean.
第一个参数的问题已经明白了。 汗。。。客户的文档写了这两个都改，还好做了下试验，问了下，不然。。。

关于第二个问题，我还有如下问题
lsnrctl的权限是：

1. [oracle@virt1 admin]$ ls -l $ORACLE_HOME/bin/lsnrctl
   
2. -rwxr-x--x 1 oracle oinstall 133235 May 12 12:43 /opt/oracle/10.2.0/db1/bin/lsnrctl

复制代码

也就是说这个lsnrctl可以由oracle用户，及oinstall组可以执行。

在用一个用户(在oinstall)组去执行的时候，在10g上会报这个错：

1. [root@virt1 ~]# useradd test1 -g test -G oinstall
   
2. [root@virt1 ~]# echo test1 | passwd --stdin test1
   
3. Changing password for user test1.
   
4. passwd: all authentication tokens updated successfully.
   
5. [root@virt1 ~]#
   
6. [root@virt1 ~]#
   
7. [root@virt1 ~]#
   
8. [root@virt1 ~]# su - test1
   
9. [test1@virt1 ~]$ /opt/oracle/10.2.0/db1/bin/lsnrctl stop
   
10. 
    
11. LSNRCTL for Linux: Version 10.2.0.5.0 - Production on 19-JUN-2012 21:38:03
    
12. 
    
13. Copyright (c) 1991, 2010, Oracle.  All rights reserved.
    
14. 
    
15. Message 1053 not found; No message file for product=network, facility=TNSTNS-01190: Message 1190 not found; No message file for product=network, facility=TNS

复制代码

因为，手头没有9i的环境，也只能怀疑在属组上10g之前的版本存在漏洞，所以设置了密码。
不知道这样理解是否正确。

谢谢。

saup007

1. [root@localhost ~]# useradd oratest1  -G oinstall,dba
   
2. 
   
3. [oratest1@localhost ~]$ id oratest1
   
4. uid=501(oratest1) gid=502(oratest1) groups=502(oratest1),500(oinstall),501(dba)
   
5. [oratest1@localhost ~]$
   
6. [oratest1@localhost ~]$ cat .bash_profile
   
7. # .bash_profile
   
8. 
   
9. # Get the aliases and functions
   
10. if [ -f ~/.bashrc ]; then
    
11.         . ~/.bashrc
    
12. fi
    
13. 
    
14. # User specific environment and startup programs
    
15. 
    
16. PATH=$PATH:$HOME/bin
    
17. 
    
18. export PATH
    
19. unset USERNAME
    
20. 
    
21. export ORACLE_BASE=/u01/app/oracle
    
22. export ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1
    
23. #export ORACLE_SID=saup10g
    
24. export ORACLE_SID=SAUP10G
    
25. export PATH=$PATH:$HOME/BIN:$ORACLE_HOME/bin
    
26. export NLS_DATE_FORMAT='YYYY-MM-DD HH24:MI:SS'
    
27. export NLS_LANG="AMERICAN_AMERICA.ZHS16GBK"
    
28. 
    
29. [oratest1@localhost ~]$ . .bash_profile
    
30. [oratest1@localhost ~]$ /u01/app/oracle/product/10.2.0/db_1/bin/lsnrctl status
    
31. 
    
32. LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 20-JUN-2012 00:07:40
    
33. 
    
34. Copyright (c) 1991, 2005, Oracle.  All rights reserved.
    
35. 
    
36. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521)))
    
37. STATUS of the LISTENER
    
38. ------------------------
    
39. Alias                     LISTENER
    
40. Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
    
41. Start Date                29-APR-2012 00:18:26
    
42. Uptime                    51 days 23 hr. 49 min. 13 sec
    
43. Trace Level               off
    
44. Security                  ON: Local OS Authentication
    
45. SNMP                      OFF
    
46. Listener Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
    
47. Listener Log File         /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
    
48. Listening Endpoints Summary...
    
49.   (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost.localdomain)(PORT=1521)))
    
50.   (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
    
51. Services Summary...
    
52. Service "PLSExtProc" has 1 instance(s).
    
53.   Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
    
54. Service "SAUP10G" has 1 instance(s).
    
55.   Instance "SAUP10G", status UNKNOWN, has 1 handler(s) for this service...
    
56. Service "SAUP10G.LK" has 1 instance(s).
    
57.   Instance "SAUP10G", status READY, has 1 handler(s) for this service...
    
58. Service "SAUP10GXDB.LK" has 1 instance(s).
    
59.   Instance "SAUP10G", status READY, has 1 handler(s) for this service...
    
60. Service "SAUP10G_XPT.LK" has 1 instance(s).
    
61.   Instance "SAUP10G", status READY, has 1 handler(s) for this service...
    
62. The command completed successfully

复制代码