场景:云上的一个测试用数据库环境,默认启用了复杂度验证。
我的示例用户是ssb,但是过了一段时间,口令过期了,需要重置口令。
我想重用第一次设置的复杂口令,但报错如下:
[oracle@xy23ai ~]$ sqlplus ssb/****@orclpdb1
SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Wed Dec 4 07:53:22 2024
Version 23.5.0.24.07
Copyright (c) 1982, 2024, Oracle. All rights reserved.
ERROR:
ORA-28001: The account has expired. The password must be changed.
Help: https://docs.oracle.com/error-help/db/ora-28001/
Changing password for ssb
New password: <这里输入的是第一次设置的复杂口令>
Retype new password: <同上>
ERROR:
ORA-28007: The password cannot be reused.
Help: https://docs.oracle.com/error-help/db/ora-28007/
Password unchanged
Enter user-name:
其实禁用口令复杂度验证就一条命令,但我说下过程。
因为口令复杂度函数是和profile关联的,所以我需要查下ssb用户使用的profile:
SQL> select profile from dba_users where username = 'SSB';
PROFILE
--------------------------------------------------------------------------------
DEFAULT
结果显示是默认的profile:DEFAULT。然后查询此profile的限制,只查口令相关的:
select resource_name, limit from dba_profiles where profile = 'DEFAULT' and resource_type = 'PASSWORD'
RESOURCE_NAME LIMIT
-------------------------------- ----------------------------------------
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_REUSE_MAX 5
PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_LOCK_TIME 1
PASSWORD_GRACE_TIME 7
INACTIVE_ACCOUNT_TIME 365
PASSWORD_ROLLOVER_TIME 0
9 rows selected.
结果显示口令验证函数为ORA12C_STRONG_VERIFY_FUNCTION。
数据库支持哪几种口令验证函数,可以查询以下文件:
$ grep 'create or replace function' $ORACLE_HOME/rdbms/admin/catpvf.sql
create or replace function ora_complexity_check
create or replace function ora_string_distance
create or replace function ora12c_strong_verify_function
create or replace function ora12c_stig_verify_function
禁用口令验证函数并确认:
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION NULL;
Profile altered.
SQL> select resource_name, limit from dba_profiles where profile = 'DEFAULT' and resource_type = 'PASSWORD' and resource_name = 'PASSWORD_VERIFY_FUNCTION'
RESOURCE_NAME LIMIT
-------------------------------- ----------------------------------------
PASSWORD_VERIFY_FUNCTION NULL
这一次,重用之前的口令就成功了:
[oracle@xy23ai ~]$ sqlplus ssb/****@orclpdb1
SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Wed Dec 4 08:13:50 2024
Version 23.5.0.24.07
Copyright (c) 1982, 2024, Oracle. All rights reserved.
ERROR:
ORA-28001: The account has expired. The password must be changed.
Help: https://docs.oracle.com/error-help/db/ora-28001/
Changing password for ssb
New password: <这里输入的是第一次设置的复杂口令>
Retype new password: <同上>
Password changed
Connected to:
Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.5.0.24.07
参考
- Security Guide: 3.2.6 Managing the Complexity of Passwords