本文轉載：鏈接：http://www.eygle.com/archives/2004/06/passwordfile.html


在數據庫沒有啟動之前，數據庫內建用戶是無法通過數據庫來驗證身份的

口令文件中存放sysdba/sysoper用戶的用戶名及口令
允許用戶通過口令文件驗證，在數據庫未啟動之前登陸
從而啟動數據庫

如果沒有口令文件，在數據庫未啟動之前就只能通過操作系統認證.

使用Rman，很多時候需要在nomount,mount等狀態對數據庫進行處理
所以通常要求sysdba權限如果屬于本地DBA組，可以通過操作系統認證登陸
如果是遠程sysdba登陸，需要通過passwordfile認證.

1.remote_login_passwordfile = NONE

此時停用口令文件驗證，Oracle數據庫不允許遠程SYSDBA/SYSOPER身份登錄
無法通過遠程進行數據庫起停等操作管理

local:

[oracle@jumper oracle]$ sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.3.0 - Production on Thu Apr 15 09:58:45 2004
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.3.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.3.0 - Production
SQL> alter user sys identified by oracle;
User altered.
SQL> show parameter pass
NAME                      TYPE   VALUE
--------------------- ----------- ------------------------------
remote_login_passwordfile string NONE

remote:

E:\Oracle\ora92\bin>sqlplus /nolog



SQL*Plus: Release 9.2.0.4.0 -
Production on 星期四 4月 15 09:39:22 2004



Copyright (c) 1982, 2002, Oracle
Corporation. All rights reserved.



SQL> connect sys/oracle@hsjf as
sysdba

ERROR:

ORA-01017: invalid username/password; logon denied

此處實際上是無法通過口令文件驗證

2.remote_login_passwordfile = exclusive

SQL> alter system set remote_login_passwordfile=exclusive scope=spfile;
System altered.
SQL> startup force;
ORACLE instance started.
Total System Global Area 131142648 bytes
Fixed Size 451576 bytes
Variable Size 104857600 bytes
Database Buffers 25165824 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
SQL> show parameter pass
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
SQL> alter user sys identified by oracle;
User altered.

remote:

E:\Oracle\ora92\bin>sqlplus /nolog



SQL*Plus: Release 9.2.0.4.0 -
Production on 星期四 4月 15 09:47:11 2004



Copyright (c) 1982, 2002, Oracle
Corporation. All rights reserved.



SQL> connect sys/oracle@hsjf as
sysdba

已連接。

SQL> show user

USER 為"SYS"

SQL>

這實際上就是通過口令文件驗證登錄的

3.進一步測試

如果此時我們刪除passwdfile,sysdba/sysoper將無法認證，也就無法登陸數據庫

Server:

SQL> !
[oracle@jumper oracle]$ cd $ORACLE_HOME/dbs
[oracle@jumper dbs]$ ls orapwhsjf
orapwhsjf
[oracle@jumper dbs]$ mv orapwhsjf orapwhsjf.bak
[oracle@jumper dbs]$

Remote:

E:\Oracle\ora92\bin>sqlplus /nolog

SQL*Plus: Release 9.2.0.4.0 - Production on 星期四 4月 15 09:50:14 2004

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

SQL> connect sys/oracle@hsjf as sysdba
ERROR:
ORA-01031: insufficient privileges


SQL>

這實際上就是無法通過口令文件驗證身份

4.如果丟失了passwdfile

如果使用passwdfile卻意外丟失，此時將不能啟動數據庫

SQL> startup force;
ORACLE instance started.

Total System Global Area 131142648 bytes
Fixed Size 451576 bytes
Variable Size 104857600 bytes
Database Buffers 25165824 bytes
Redo Buffers 667648 bytes
ORA-01990: error opening password file '/opt/oracle/product/9.2.0/dbs/orapw'
ORA-27037: unable to obtain file status
Linux Error: 2: No such file or directory
Additional information: 3

此時可以通過orapwd重建口令文件來解決
此處我們恢復口令文件既可

SQL> !
[oracle@jumper oracle]$ mv $ORACLE_HOME/dbs/orapwhsjf.bak orapwhsjf
[oracle@jumper oracle]$ exit
exit

SQL> alter database open;

Database altered.

SQL>

大致就是如此.

5. remote_login_passwordfile = shared

我們看一下Oracle9i文檔中的說明:

SHARED

More than one database can use a password file. However, the only user recognized by the password file is SYS.

意思是說多個數據庫可以共享一個口令文件,但是只可以識別一個用戶:SYS

SQL> select * from v$pwfile_users;

USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE

SQL> grant sysdba to eygle;
grant sysdba to eygle
*
ERROR at line 1:
ORA-01994: GRANT failed: cannot add users to public password file

SQL> show parameter password

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string SHARED

我們看到,此時的口令文件中是不能添加用戶的.

很多人的疑問在于:口令文件的缺省名稱是orapw<sid>,怎么能夠共享?

實際上是這樣的: Oracle數據庫在啟動時,首先查找的是orapw<sid>的口令文件,如果該文件不存在,則開始查找,orapw的口令文件
如果口令文件命名為orapw,多個數據庫就可以共享.

我們看一下測試:

[oracle@jumper dbs]$ sqlplus "/ as sysdba"
SQL*Plus: Release 9.2.0.3.0 - Production on Tue Jul 6 09:40:34 2004
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.3.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.3.0 - Production
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> !
[oracle@jumper dbs]$ ls
hsjf  initdw.ora  inithsjf.ora  init.ora  lkHSJF  orapwhsjf  spfilehsjf.ora
[oracle@jumper dbs]$ mv orapwhsjf orapwhsjf.bak
[oracle@jumper dbs]$ exit
exit
SQL> startup
ORACLE instance started.
Total System Global Area  235999908 bytes
Fixed Size                   451236 bytes
Variable Size             201326592 bytes
Database Buffers           33554432 bytes
Redo Buffers                 667648 bytes
ORA-01990: error opening password file '/opt/oracle/product/9.2.0/dbs/orapw'--這是最后查找的文件
ORA-27037: unable to obtain file status
Linux Error: 2: No such file or directory
Additional information: 3

我們建立orapw口令文件,這時候可以打開數據庫.

SQL> !
[oracle@jumper dbs]$ ls
hsjf  initdw.ora  inithsjf.ora  init.ora  lkHSJF  orapwhsjf.bak  spfilehsjf.ora
[oracle@jumper dbs]$ cp orapwhsjf.bak orapw
[oracle@jumper dbs]$ exit
exit
SQL> alter database open;
Database altered.
SQL> show parameter passw
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile            string      SHARED
SQL>    

那么你可能會有這樣的疑問,多個Exclusive的數據庫是否可以共享一個口令文件(orapw)呢?

我們繼續這個實驗:

SQL> show parameter password

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string SHARED

[oracle@jumper dbs]$ strings orapw
]\[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A

注意這里僅記錄著INTERNAL/SYS的口令

REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE 時

SQL> alter system set remote_login_passwordfile=exclusive scope=spfile;

System altered.

SQL> startup force;
ORACLE instance started.

Total System Global Area 235999908 bytes
Fixed Size 451236 bytes
Variable Size 201326592 bytes
Database Buffers 33554432 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
SQL> !

[oracle@jumper bin]$ cd $ORACLE_HOME/dbs
[oracle@jumper dbs]$ strings orapw
]\[Z
ORACLE Remote Password file
HSJF
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
[oracle@jumper dbs]$ exit
exit

注意這里,以EXCLUSIVE 方式啟動以后,實例名稱信息被寫入口令文件.

此時如果有其他實例以Exclusive模式啟動仍然可以使用這個口令文件,口令文件中的實例名稱同時被改寫.

也就是說,數據庫只在啟動過程中才讀取口令文件,數據庫運行過程中并不鎖定該文件,類似于pfile/spfile文件.

SQL> select * from v$pwfile_users;

USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE

SQL> grant sysdba to eygle;

Grant succeeded.

SQL> select * from v$pwfile_users;

USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE
EYGLE TRUE FALSE

SQL> !
[oracle@jumper bin]$ cd $ORACLE_HOME/dbs
[oracle@jumper dbs]$ strings orapw
]\[Z
ORACLE Remote Password file
HSJF
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
>EYGLE
B726E09FE21F8E83

注意此時可以增加SYSDBA用戶，并且這些信息可以被寫入到口令文件.

一旦口令文件中增加了其他SYSDBA用戶,此文件不再能夠被其他Exclusive的實例共享.

實際上，口令文件對于其他用戶來說就是啟到了一個 sudo 的作用.

6.重建口令文件

如果口令文件丟失,可以使用orapwd可以重建口令文件，語法如下:

[oracle@jumper oracle]$ orapwd

Usage: orapwd file=<fname> password=<password> entries=<users> 

where
file - name of password file (mand),
password - password for SYS (mand),
entries - maximum number of distinct DBA and OPERs (opt),
There are no spaces around the equal-to (=) character.