Oracle 概要文件 PASSWORD_VERIFY_FUNCTION

检查口令强度设置

注意事项及影响：

• 用户修改密码时对密码复杂度有要求，而且所有profile都需要设置密码负责度函数否则检查通不过
• 该项没有影响，可以加固

 

序号	操作内容	操作步骤	责任人	时间
1	登陆数据库	Sqlplus ‘/as sysdba’
2	检查数据库状态	Select open_mode from v$database;
3	创建密码函数	@?/rdbms/admin/utlpwdmg.sql
4	生成修改语句	select 'alter profile ' || profile ||        ' limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;'   from dba_profiles  group by profile;
5	运行修改密码函数语句	运行上面查询生成的sql 语句

这边数据库的加固项，是对数据库的口令进行加固。

 PASSWORD_VERIFY_FUNCTION：指定验证口令复杂度的验证函数。Oracle 提供了一个默认的口令校验函数，这可以通过运行脚本utlpwdmg.sql 来建立该函数，脚本保存在$ORACLE_HOME\rdbms\admin 目录中。DBA 也可以通过修改脚本来实现自己 的口令校验函数。

 

（1）先来看一下数据库没有加固之前的概要文件里面的内容

SQL> select PROFILE,RESOURCE_NAME,LIMIT from dba_profiles where PROFILE='DEFAULT';

PROFILE      RESOURCE_NAME          LIMIT

DEFAULT      PASSWORD_VERIFY_FUNC      NULL  --可以看到值为空

（2）SQL> @?/rdbms/admin/utlpwdmg.sql

Function created.

Grant succeeded.

Profile altered.

Function created.

Grant succeeded.

 

1.生成修改概要文件的语句

SQL> select 'alter profile ' || profile ||

       ' limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;'

  from dba_profiles

 group by profile;

'ALTERPROFILE'||PROFILE||'LIMITPASSWORD_VERIFY_FUNCTIONVERIFY_FUNCTION;'

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

alter profile MONITORING_PROFILE limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;

alter profile TEST limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;

alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;

可以看到所有的概要文件的PASSWORD_VERIFY_FUNCTION都设置为VERIFY_FUNCTION。

 

2.修改概要文件

SQL> alter profile TEST limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;

Profile altered.

 

SQL> alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;

Profile altered.

SQL> select PROFILE,RESOURCE_NAME,LIMIT from dba_profiles where PROFILE='DEFAULT';

 

PROFILE      RESOURCE_NAME          LIMIT

DEFAULT      PASSWORD_VERIFY_FUNC  VERIFY_FUNCTIONTION

可以看到概要文件里面的PASSWORD_VERIFY_FUNC值由null变为了VERIFY_FUNCTIONTION。

 

3.测试口令强度

SQL> alter user test identified by 123456;

alter user test identified by 123456

*

ERROR at line 1:

ORA-28003: password verification for the specified password failed

ORA-20003: Password should contain at least one \

digit, one character and one punctuation

简单密码无法更新，需要将密码设置为复杂的。

 

 

4.下面是utlpwdmg.sql里面的内容 可以看到具体这个.sql创建的函数是用来检测要修改的密码

[oracle@Database1 admin]$ cat utlpwdmg.sql 

-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based 
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/<password> as sysdba before running the script

CREATE OR REPLACE FUNCTION verify_function_11G
(username varchar2,
  password varchar2,
  old_password varchar2)
  RETURN boolean IS 
   n boolean;
   m integer;
   differ integer;
   isdigit boolean;
   ischar  boolean;
   ispunct boolean;
   db_name varchar2(40);
   digitarray varchar2(20);
   punctarray varchar2(25);
   chararray varchar2(52);
   i_char varchar2(10);
   simple_password varchar2(10);
   reverse_user varchar2(32);

BEGIN 
   digitarray:= '0123456789';
   chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

   -- Check for the minimum length of the password
   IF length(password) < 8 THEN
      raise_application_error(-20001, 'Password length less than 8');
   END IF;

   -- Check if the password is same as the username or username(1-100)
   IF NLS_LOWER(password) = NLS_LOWER(username) THEN
     raise_application_error(-20002, 'Password same as or similar to user');
   END IF;
   FOR i IN 1..100 LOOP
      i_char := to_char(i);
      if NLS_LOWER(username)|| i_char = NLS_LOWER(password) THEN
        raise_application_error(-20005, 'Password same as or similar to user name ');
      END IF;
    END LOOP;

   -- Check if the password is same as the username reversed
   
   FOR i in REVERSE 1..length(username) LOOP
     reverse_user := reverse_user || substr(username, i, 1);
   END LOOP;
   IF NLS_LOWER(password) = NLS_LOWER(reverse_user) THEN
     raise_application_error(-20003, 'Password same as username reversed');
   END IF;

   -- Check if the password is the same as server name and or servername(1-100)
   select name into db_name from sys.v$database;
   if NLS_LOWER(db_name) = NLS_LOWER(password) THEN
      raise_application_error(-20004, 'Password same as or similar to server name');
   END IF;
   FOR i IN 1..100 LOOP
      i_char := to_char(i);
      if NLS_LOWER(db_name)|| i_char = NLS_LOWER(password) THEN
        raise_application_error(-20005, 'Password same as or similar to server name ');
      END IF;
    END LOOP;

   -- Check if the password is too simple. A dictionary of words may be
   -- maintained and a check may be made so as not to allow the words
   -- that are too simple for the password.
   IF NLS_LOWER(password) IN ('welcome1', 'database1', 'account1', 'user1234', 'password1', 'oracle123', 'computer1', 'abcdefg1', 'change_on_install') THEN
      raise_application_error(-20006, 'Password too simple');
   END IF;

   -- Check if the password is the same as oracle (1-100)
    simple_password := 'oracle';
    FOR i IN 1..100 LOOP
      i_char := to_char(i);
      if simple_password || i_char = NLS_LOWER(password) THEN
        raise_application_error(-20007, 'Password too simple ');
      END IF;
    END LOOP;

   -- Check if the password contains at least one letter, one digit 
   -- 1. Check for the digit
   isdigit:=FALSE;
   m := length(password);
   FOR i IN 1..10 LOOP 
      FOR j IN 1..m LOOP 
         IF substr(password,j,1) = substr(digitarray,i,1) THEN
            isdigit:=TRUE;
             GOTO findchar;
         END IF;
      END LOOP;
   END LOOP;

   IF isdigit = FALSE THEN
      raise_application_error(-20008, 'Password must contain at least one digit, one character');
   END IF;
   -- 2. Check for the character
   <<findchar>>
   ischar:=FALSE;
   FOR i IN 1..length(chararray) LOOP 
      FOR j IN 1..m LOOP 
         IF substr(password,j,1) = substr(chararray,i,1) THEN
            ischar:=TRUE;
             GOTO endsearch;
         END IF;
      END LOOP;
   END LOOP;
   IF ischar = FALSE THEN
      raise_application_error(-20009, 'Password must contain at least one \
              digit, and one character');
   END IF;

   <<endsearch>>
   -- Check if the password differs from the previous password by at least
   -- 3 letters
   IF old_password IS NOT NULL THEN
     differ := length(old_password) - length(password);

     differ := abs(differ);
     IF differ < 3 THEN
       IF length(password) < length(old_password) THEN
         m := length(password);
       ELSE
         m := length(old_password);
       END IF;

       FOR i IN 1..m LOOP
         IF substr(password,i,1) != substr(old_password,i,1) THEN
           differ := differ + 1;
         END IF;
       END LOOP;

       IF differ < 3 THEN
         raise_application_error(-20011, 'Password should differ from the \
            old password by at least 3 characters');
       END IF;
     END IF;
   END IF;
   -- Everything is fine; return TRUE ;   
   RETURN(TRUE);
END;
/

GRANT EXECUTE ON verify_function_11G TO PUBLIC;

-- This script alters the default parameters for Password Management
-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is 
-- created with parameter values set to different value or UNLIMITED 
-- is created and assigned to the user.

ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION verify_function_11G;