Oracle不知道用户密码情况下,如何在不更改密码的前提下解锁用户或者延期密码有效期
1.问题描述:
生产环境,zabbix告警业务用户密码即将过期,但是如何不知道业务用户密码的情况下来解决该问题?
2.实验一:
1)创建新的用户test,并授予test resource角色和connect权限,并测试连接test用户
SYS@PROD4 >create user test identified by test;
User created.
SYS@PROD4 >grant resource to test;
Grant succeeded.
SYS@PROD4 >grant connect to test;
Grant succeeded.
SYS@PROD4 >conn test/test;
Connected.
2)查看test用户的状态(open),
TEST@PROD4 >conn / as sysdba
Connected.
SYS@PROD4 >set linesize 200 pagesize 200
SYS@PROD4 >col username for a10
SYS@PROD4 >select username,password,account_status,lock_date,expiry_date,created,password_versions from dba_users where username='SCOTT';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- --- --------------------------- -------------------------------- --------- --------- --------- --------
TEST OPEN 20-AUG-20 22-FEB-20 10G 11G
3)锁定test用户,并验证
SYS@PROD4 >alter user test account lock;
User altered.
SYS@PROD4 >select username,password,account_status,lock_date,expiry_date,created,password_versions from dba_users where username='TEST';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- ------------------------------ -------------------------------- --------- --------- --------- --------
TEST LOCKED 22-FEB-20 20-AUG-20 22-FEB-20 10G 11G
SYS@PROD4 >conn test/test;
ERROR:
ORA-28000: the account is locked
Warning: You are no longer connected to ORACLE.
@ >conn / as sysdba
Connected.
4)查看ora 28000报错
SYS@PROD4 >!oerr ora 28000
28000, 00000, "the account is locked"
// *Cause: The user has entered wrong password consequently for maximum
// number of times specified by the user's profile parameter
// FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account
// *Action: Wait for PASSWORD_LOCK_TIME or contact DBA
5)查看test用户的密码在user$中的hash值
SYS@PROD4 >select name,password from user$ where name='TEST';
NAME PASSWORD
------------------------------ ------------------------------
TEST 7A0F2B316C212D67
5)利用该hash值解锁scott用户
SYS@PROD4 >alter user test identified by values '7A0F2B316C212D67' account unlock;
User altered.
6)用原密码测试连接scott用户
SYS@PROD4 >conn test/test;
Connected.
TEST@PROD4 >show user;
USER is "TEST"
结论:在不知道用户密码的情况下,可以通过查询用户密码的hash值,在不更改密码的情况下解锁用户
测试二:
1)查看scott用户密码的hash值
TEST@PROD4 >conn / as sysdba
Connected.
SYS@PROD4 >select name,password from user$ where name='SCOTT';
NAME PASSWORD
------------------------------ ------------------------------
SCOTT F894844C34402B67
2)查看scott用户的过期时间
SYS@PROD4 >set linesize 200 pagesize 200
SYS@PROD4 >select username,password,account_status,lock_date,expiry_date,created,password_versions from dba_users where username='SCOTT';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- ------------------------------ -------------------------------- --------- --------- --------- --------
SCOTT OPEN 07-AUG-20 18-SEP-11 10G 11G
3)利用scott用户密码的hash值重置用户的过期时间
SYS@PROD4 >alter user SCOTT identified by values 'F894844C34402B67';
User altered.
4)查看scott用户的密码过期时间(发现已经被重置)
SYS@PROD4 >select username,password,account_status,lock_date,expiry_date,created,password_versions from dba_users where username='SCOTT';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- ------------------------------ -------------------------------- --------- --------- --------- --------
SCOTT OPEN 20-AUG-20 18-SEP-11 10G
5)验证scott用户用原密码是否可登陆
@ >conn scott/tiger;
Connected.
SCOTT@PROD4 >show user;
USER is "SCOTT"
结论:可以在不知道用户密码的情况下,重置用户密码有效期