ITPub博客

首页 > Linux操作系统 > Linux操作系统 > No need to set a listener password in ORACLE 10G

No need to set a listener password in ORACLE 10G

原创 Linux操作系统 作者:sanxiagirl 时间:2011-02-24 09:23:34 0 删除 编辑

linux5.3 oracle10.2.0.4.0(64bit)

listener未设密码情况下,从另外一台主机stop server上的监听
pldfmswebdb$lsnrctl stop LISTENER1

LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 22-FEB-2011 08:57:25

Copyright (c) 1991, 2007, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.6.26.245)(PORT=1526)))
TNS-01189: The listener could not authenticate the user

无法关闭。

server上为监听设置密码。
pldfmsqatmp$lsnrctl

LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 22-FEB-2011 08:58:24

Copyright (c) 1991, 2007, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=pldfmsqatmp)(PORT=1526)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=pldfmsqatmp)(PORT=1526)))
Saved LISTENER configuration parameters.
Listener Parameter File   /u01/product/oracle/network/admin/listener.ora
Old Parameter File   /u01/product/oracle/network/admin/listener.bak
The command completed successfully
LSNRCTL> exit

listener.ora文件中多了下面几行:
#----ADDED BY TNSLSNR 22-FEB-2011 08:58:50---
PASSWORDS_LISTENER = ADD733DA61CD19A5
#--------------------------------------------

Server本地关闭开启监听,不需要输入密码。
pldfmsqatmp$lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 22-FEB-2011 09:00:14

Copyright (c) 1991, 2007, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=pldfmsqatmp)(PORT=1526)))
The command completed successfully
pldfmsqatmp$lsnrctl start

LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 22-FEB-2011 09:00:24

Copyright (c) 1991, 2007, Oracle.  All rights reserved.

Starting /u01/product/oracle/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.4.0 - Production
System parameter file is /u01/product/oracle/network/admin/listener.ora
Log messages written to /u01/product/oracle/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=pldfmsqatmp)(PORT=1526)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=pldfmsqatmp)(PORT=1526)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.4.0 - Production
Start Date                22-FEB-2011 09:00:24
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/product/oracle/network/admin/listener.ora
Listener Log File         /u01/product/oracle/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=pldfmsqatmp)(PORT=1526)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully

从远程另外一台主机关闭开启Server上的监听。
无法关闭,但报错信息跟之前有了不同的地方,提示The listener has not recognized the password
pldfmswebdb$lsnrctl stop LISTENER1

LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 22-FEB-2011 09:02:25

Copyright (c) 1991, 2007, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.6.26.245)(PORT=1526)))
TNS-01169: The listener has not recognized the password
 TNS-01189: The listener could not authenticate the user

输入密码测试,可以关闭监听。

pldfmswebdb$lsnrctl

LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 22-FEB-2011 09:04:01

Copyright (c) 1991, 2007, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> set current_listener listener1
Current Listener is listener1
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.6.26.245)(PORT=1526)))
The command completed successfully

查看server发现,监听确实已经关闭了。

pldfmsqatmp$lsnrctl status

LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 22-FEB-2011 09:04:41

Copyright (c) 1991, 2007, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=pldfmsqatmp)(PORT=1526)))
TNS-12541: TNS:no listener
 TNS-12560: TNS:protocol adapter error
  TNS-00511: No listener
   Linux Error: 111: Connection refused
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
TNS-12541: TNS:no listener
 TNS-12560: TNS:protocol adapter error
  TNS-00511: No listener
   Linux Error: 2: No such file or directory

网络文档中9I下情况有些不太一样。
9I中如果不为监听器设置密码,远程可以关闭主机上的监听,且不需要任何验证,也没有日志记录。
设置密码后,本地关闭也需要输入密码,开启则不需要,远程关闭也需要密码。

 

 

 

參考:

       Oracle的监听器一直以来都存在一个严重的安全问题,那就是:
如果不设置安全措施-监听加密,那么能够访问的用户就可以远程关闭监听器。所以在10g以前,对listener加密是可以防止远程关闭监听的,但是到了10g,默认已经对远程用户进行了安全加固,远程用户不可以关闭server端的监听。

In this Document
  Goal
  Solution


Applies to:

Oracle Net Services
Information in this document applies to any platform.
Checked for relevance on 8-OCT-2009.

Goal

How to set a password for 10g and newer listeners leaving the default OS authentication mechanism in place.

In Oracle 10g and newer versions of the listener, the listener is secure out of the box. There should be no need to set a listener password to prohibit privileged LSNRCTL commands from being executed.

Beginning with version 10g, the listener now uses local OS authentication. As long as one runs LSNRCTL privileged commands (stop, status, etc) as the same user who started the listener, that user will be able to fully administer the running listener without providing a password.


This security feature is enabled by default and can be identified at listener
startup, or when issuing a LSNRCTL STATUS command, by the following output:

Security ON: Local OS Authentication

If the TNSListener is started as the "oracle" user and the user "sales" attempts
to administer the listener, or if "oracle" on a different node attempts to
administer the listener, the following error will be returned:

TNS-01190: The user is not authorized to execute the requested listener command



The following commands are all privileged:

 SAVE_CONFIG, STOP, TRACE, SPAWN, RELOAD,
 
 SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, 
 TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}

 SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, 
 SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, 
 SAVE_CONFIG_STOP_ON}

Solution

A secondary user is able to administer the listener if a listener password is
set and the secondary user knows the password. In this example, "oracle" will
set an encrypted password for the listener and the user "sales" will stop the
listener.



As the "oracle" user, set and encrypt the listener password:
1) LSNRCTL> set current_listener 
2) LSNRCTL> change_password
    Old password: 
    New password: 10glistener  (text is not echoed)
    Reenter new password: 10glistener    (text is not echoed)
3) LSNRCTL> save_config
4) LSNRCTL> status

STATUS output will now show:
Security                  ON: Password or Local OS Authentication

As the "sales" user, enter the password to administer the listener:
1) LSNRCTL> set password 
    Password: 10glistener   (text is not echoed)
2) LSNRCTL> stop

 

参考文献:

1. Setting Listener Passwords With an Oracle 10g or Newer Listener [ID 260986.1]

2. http://space.itpub.net/9252210/viewspace-558106

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/10640532/viewspace-687819/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2008-01-02

  • 博文量
    142
  • 访问量
    505948