Oracle 20c 新特性:强制大小写敏感密码文件 Force Password File Case Sensitive



从Oracle Database 20c开始,数据库强制实施大小写敏感的口令文件,以实现更高的安全性。区分大小写的密码文件提供更高的安全性,Oracle建议使用区分大小写的密码文件。

为了强制实现这一改进,Oracle 删除了用于启用或禁用密码文件区分大小写的参数。 新密码文件中的所有密码均区分大小写。

在 20c 之前版本 orapwd 中包含一个参数 ignorecase 可以用于指定是否忽略大小写:

[oracle@enmotech ~]$ orapwd
Usage: orapwd file=<fname> entries=<users> force=<y/n> ignorecase=<y/n> nosysdba=<y/n>

   file - name of password file (required),
   password - password for SYS will be prompted if not specified at command line,
   entries - maximum number of distinct DBA (optional),
   force - whether to overwrite existing file (optional),
   ignorecase - passwords are case-insensitive (optional),
   nosysdba - whether to shut out the SYSDBA logon (optional Database Vault only).
 There must be no spaces around the equal-to (=) character.

ignorecase 这个选项在 20c 中被去除了:

[oracle@enmotech ~]$ orapwd
Usage 1: orapwd file=<fname> force={y|n} asm={y|n}
         dbuniquename=<dbname> format={12|12.2}
         delete={y|n} input_file=<input-fname>
         'sys={y | password | external(<sys-external-name>)
               | global(<sys-directory-DN>)}'
         'sysbackup={y | password | external(<sysbackup-external-name>)
                     | global(<sysbackup-directory-DN>)}'
         'sysdg={y | password | external(<sysdg-external-name>)
                 | global(<sysdg-directory-DN>)}'
         'syskm={y | password | external(<syskm-external-name>)
                 | global(<syskm-directory-DN>)}'

Usage 2: orapwd describe file=<fname>

   file   - name of password file (required),
          - password for SYS will be prompted
            if not specified at command line.
            Ignored, if input_file is specified,
   force  - whether to overwrite existing file, also clears
            CRS resource if it already has password file
            registered (optional),
   asm    - indicates that the ASM instance password file is to
            be stored in Automatic Storage Management (ASM)
            disk group (optional),
          - unique database name used to identify database
            password files residing in ASM diskgroup
            or Exascale Vault.
            Ignored when asm option is specified (optional),
   format - use format=12 for new 12c features like SYSBACKUP, SYSDG
            and SYSKM support, longer identifiers, SHA2 Verifiers etc.
            use format=12.2 for 12.2 features like enforcing user
            profile (password limits and password complexity) and
            account status for administrative users.
            If not specified, format=12.2 is default (optional),
   delete - drops a password file. Must specify 'asm',
            'dbuniquename' or 'file'. If 'file' is specified,
            the file must be located on an ASM diskgroup
            or Exascale Vault,
          - name of input password file, from where old user
            entries will be migrated (optional),
   sys    - specifies if SYS user is password, externally or
            globally authenticated.
            For external SYS, also specifies external name.
            For global SYS, also specifies directory DN.
            SYS={y | password} specifies if SYS user password needs
            to be changed when used with input_file,
          - creates SYSBACKUP entry (optional).
            Specifies if SYSBACKUP user is password, externally or
            globally authenticated.
            For external SYSBACKUP, also specifies external name.
            For global SYSBACKUP, also specifies directory DN.
            Ignored, if input_file is specified,
   sysdg  - creates SYSDG entry (optional).
            Specifies if SYSDG user is password, externally or
            globally authenticated.
            For external SYSDG, also specifies external name.
            For global SYSDG, also specifies directory DN.
            Ignored, if input_file is specified,
   syskm  - creates SYSKM entry (optional).
            Specifies if SYSKM user is password, externally or
            globally authenticated.
            For external SYSKM, also specifies external name.
            For global SYSKM, also specifies directory DN.
           Ignored, if input_file is specified,
          - describes the properties of specified password file

 There must be no spaces around the equal-to (=) character.

先前版本中,10G 的密码文件帐户都只能执行不区分大小写的管理身份验证。

密码文件在数据库外部,即使数据库处于CLOSED状态,也允许Oracle数据库验证管理连接(使用AS Administrative_privilege_name子句,例如AS SYSKM)。


Oracle 建议使用以下语法,通过将密码文件从一种格式迁移到另一种格式,并更改仅具有10G验证程序的任何帐户的密码,来强制这些旧密码文件区分大小写:

orapwd FILE=new_pwd_file_name INPUT_FILE=old_pwd_file_name [FORMAT=12.2]

FORMAT和FORCE选项不是强制性的,可以省略。 如果省略FORMAT,则默认为12.2。 如果FILE和INPUT_FILE选项设置为相同的文件,则需要FORCE选项。

orapwd FILE='/u01/oracle/dbs/old_pwd_file_name' INPUT_FILE='/u01/oracle/dbs/new_pwd_file_name' FORMAT=12.2 FORCE=y
Enter password for SYS: password


如果您从以前的版本中导入了用户帐户,并且这些帐户是使用SYSDBA或SYSOPER管理权限创建的,则这些帐户将包含在密码文件中,这些帐户的密码不区分大小写。这些用户下次更改密码时,密码将区分大小写。为了提高安全性,请这些用户更改其密码。可以使用ALTER USER PASSWORD EXPIRE语句来使用户密码失效。之后,要求用户再次登录,以便提示用户更改其密码。