ITPub博客

首页 > Linux操作系统 > Linux操作系统 > Oracle10g的listener安全验证

Oracle10g的listener安全验证

原创 Linux操作系统 作者:chyinzi 时间:2011-04-12 19:23:33 0 删除 编辑
Oracle10g开始,增加了另一个listener验证方式Local OS Authentication(本地操作系统验证),设置listener密码已不是安全检查的必要条件。
在10g里,即使listener没设置密码。除了启动监听的用户外,其它用户也无法对listener做相关操作,如stop、reload、trace等。
一、listener安全验证
测试环境:
OS:RHEL AS 4.8
DB:Oracle 10.2.0.1
User:oracle、oracle1

测试1:
验证默认状态,用户oracle启动listener,用户oracle1无法stop、reload、trace用户oracle启动的listener。

用户oracle启动listener并查看状态
LSNRCTL> start
Starting /orahome/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
省略输出信息若干

LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略输出信息若干
Trace Level               off
Security                  ON: Local OS Authentication
省略输出信息若干
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.23)(PORT=1521)))
Services Summary...
Service "mydata" has 1 instance(s).
  Instance "mydata", status READY, has 1 handler(s) for this service...
The command completed successfully
红字部分显示:默认安全性开启,并启用Local OS Authentication(本地操作系统验证),未设置密码。
切换到另一个用户oracle1
[oracle@oraserver ~]$ su - oracle1
Password:
[oracle1@oraserver ~]$ id
uid=1003(oracle1) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
[oracle1@oraserver ~]$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 18:35:48
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> stop listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL>
LSNRCTL> reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL> 
LSNRCTL> trace user listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
红字部分显示:用户oracle1未被授权执行请求的listener命令,即无权操作listener。

测试2:
用户oracle对自己启动的listener启用密码安全验证,但密码验证对用户oracle不起作用

用户oracle启动listener并启用密码验证
[oracle@oraserver ~]$ id
uid=1001(oracle) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
LSNRCTL> start
Starting /orahome/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.1.0 - Production
省略输出信息若干

LSNRCTL> change_password
Old password:空
New password:123456
Reenter new password:123456
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File   /orahome/oracle/product/10.2.0/db_1/network/admin/listener.ora
Old Parameter File   /orahome/oracle/product/10.2.0/db_1/network/admin/listener.bak
The command completed successfully

LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略输出信息若干
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
省略输出信息若干
红字部分显示:安全验证方式为Password(密码验证)或Local OS Authentication(本地操作系统验证)

LSNRCTL> reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
The command completed successfully
LSNRCTL>
LSNRCTL> trace user listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc
The command completed successfully
LSNRCTL>
LSNRCTL> stop listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
The command completed successfully
红字部分显示:用户oracle不需要密码验证,即可对已自动的listener执行reload、stop、trace等操作。


测试3:
用户oracle启动listener,并启用密码验证方式。
用户oracle1若通过密码验证后,可对用户oracle启动的listener执行reload、stop、trace等操作。
若用户oracle1未通过密码验证,则无权对用户oracle启动的listener执行以上操作。

[oracle@oraserver ~]$ id
uid=1001(oracle) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
listener密码设置同测试2
[oracle@oraserver ~]$ lsnrctl status listener

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:06:36

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略输出信息若干
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /orahome/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File         /orahome/oracle/product/10.2.0/db_1/network/log/listener.log
省略若干输出信息
红字部分显示:安全验证方式为密码验证或本地操作系统验证

[oracle1@oraserver ~]$ id
uid=1003(oracle1) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
[oracle1@oraserver ~]$ lsnrctl reload listener
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:10:19
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
[oracle1@oraserver ~]$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:10:29
Copyright (c) 1991, 2005, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL>
LSNRCTL> set password 123456
The command completed successfully
LSNRCTL> reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
The command completed successfully
LSNRCTL> trace user listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc
The command completed successfully
LSNRCTL> 
LSNRCTL> stop listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc
The command completed successfully

用户oracle1进入lsnrctl命令行模式后,因执行“set password 123456”通过用户oracle设置的密码验证,
所以可以对用户oracle启动的listener执行reload、stop、trace等操作。


受影响的操作除了reload、stop、trace之外,还有如下命令:
SAVE_CONFIG, SPAWN,
SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}
SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON}

二、远程监听注册remote_listener

环境
A机:
IP:192.168.1.23 
OS:RHEL AS 4.8
service_name:test
db_name:mydata
username:oracle

B机:
IP:192.168.1.24
OS:RHEL AS 4.8
service_name:product
db_name:lottery
username:oracle

A机的listener状态
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略若干输出信息
Security                  ON: Local OS Authentication
SNMP                      OFF
省略若干信息
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.23)(PORT=1521)))
Services Summary...
Service "TEST" has 1 instance(s).
  Instance "mydata", status READY, has 1 handler(s) for this service...
Service "mydata" has 1 instance(s).
  Instance "mydata", status READY, has 1 handler(s) for this service...
The command completed successfully

B机的listener状态
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略若干输出信息
Security                  ON: Local OS Authentication
SNMP                      OFF
省略若干输出信息
   (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ccddt)(PORT=1521)))
Services Summary...
Service "product" has 1 instance(s).
  Instance "lottery", status READY, has 1 handler(s) for this service...
Service "lottery" has 1 instance(s).
  Instance "lottery", status READY, has 1 handler(s) for this service...
The command completed successfully

远程监听注册remote_listener
将A机的service_name:test注册到远程(B机)的listener中

在A机的tnsnames.ora加入如下内容
LISTENER_R =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.24)(PORT = 1521))

修改A机的服务器参数remote_listener
SQL> alter system set remote_listener=LISTENER_R;
System altered.

在B机执行lsnrctl status,观察listener状态,可以看到
有两条信息(红色部分)为A机下DB的service_names(test),db_name(mydata)
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略若干输出信息
Security                  ON: Local OS Authentication
省略若干输出信息
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ccddt)(PORT=1521)))
Services Summary...
Service "lottery" has 1 instance(s).
  Instance "lottery", status READY, has 1 handler(s) for this service...
Service "mydata" has 1 instance(s).
  Instance "mydata", status READY, has 1 handler(s) for this service...
Service "product" has 1 instance(s).
  Instance "lottery", status READY, has 1 handler(s) for this service...
Service "test" has 1 instance(s).
  Instance "mydata", status READY, has 1 handler(s) for this service...
The command completed successfully
注:不管参数service_names为何值,oracle都会以db_name为服务名,执行动态注册。
    因此,会多出一条Service "mydata" has 1 instance(s)的记录。

测试1:
验证oracle10g,默认设置(listener验证为操作系统验证),无法远程停止listener。

在A机执行如下命令,远程停止B机的监听
LSNRCTL> stop listener_r
Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521))
TNS-01189: The listener could not authenticate the user
LSNRCTL>
红字显示,未通过listener的验证。因此,stop操作失败。


在B机为监听器启用密码验证
LSNRCTL> change_password
Old password:
New password:123456
Reenter new password:123456
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
Saved LISTENER configuration parameters.
省略若干输出信息
The command completed successfully

测试2:
通过远程的listener安全验证,远程停止listener监听

A机执行如下命令,输入错误密码654321
LSNRCTL> set password 654321
The command completed successfully
LSNRCTL> stop listener_r
Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521))
TNS-01169: The listener has not recognized the password
 TNS-01189: The listener could not authenticate the user
验证失败

A机输入正确密码123456
LSNRCTL> set password 123456
The command completed successfully
LSNRCTL>
LSNRCTL> stop listener_r
Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521))
The command completed successfully
LSNRCTL>
红字显示,远程stop监听成功


B机执行如下命令,查看监听器状态,已被A机远程停止。
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
TNS-12541: TNS:no listener
 TNS-12560: TNS:protocol adapter error
  TNS-00511: No listener
   Linux Error: 111: Connection refused

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/25264937/viewspace-692353/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2011-01-18

  • 博文量
    26
  • 访问量
    168203