ORACLE数据库安全漏洞之监听密码设置

http://blog.itpub.net/29357786/viewspace-1769373/

ORACLE数据库安全漏洞之监听密码设置

原创 Oracle 作者：清风艾艾 时间：2015-08-12 15:37:03 1548 0

    Oracle相关组件安全防范做的可谓真够全面，当然监听程序也有相关的安全设置；默认状态下，用户不需要使用任何密码即通过lsnrctl 工具对Oracle Listener进行操作或关闭，可造成新的会话无法建立连接；Oracle监听器允许利用lsnrctl从远程发起对监听器的管理，也容易导致数据库受到损坏。另外，ORACLE数据库监听器的管理9i与10g和11g还有点区别，9i数据库通过lsnrctl设置密码就会过滤系统认证，而10g和11g监听lsnrctl设置密码后不会自动生效，需要取消操作系统认证方能使监听密码设置生效。
   这里特别提示11G监听密码设置
1、在ORACLE用户下，shell里输入lsnrctl回车可进入监听程序管理控制台
[oracle@orcl11g admin]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:33:57
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> 

2、在监听管理控制台输入help可以查看监听管理命令
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start               stop                status              
services            version             reload              
save_config         trace               spawn               
change_password     quit                exit                
set*                show*   

3、监听未设置密码时oracle会话可使用lsnrctl启停监听程序（这也是监听程序的风险），启停监听
[oracle@orcl11g admin]$ lsnrctl stop
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:38:13
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
[oracle@orcl11g admin]$ 
[oracle@orcl11g admin]$ lsnrctl start
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:39:50
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Starting /oracle/app/oracle/product/11.2.0.3/db/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 11.2.0.3.0 - Production
System parameter file is /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Log messages written to /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 15:39:50
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@orcl11g admin]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:39:54
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 15:39:50
Uptime                    0 days 0 hr. 0 min. 3 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@orcl11g admin]$ 

4、这里使用lsnrctl管理工具为Oracle数据库监听设置密码
[oracle@orcl11g admin]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 15:41:35
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start               stop                status              
services            version             reload              
save_config         trace               spawn               
change_password     quit                exit                
set*                show*               
LSNRCTL> change_password
Old password:<如果监听设置过密码则输入旧密码> 
New password: <输入新密码>
Reenter new password: <输入新密码确认>
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> set password #设置控制台密码
Password: 
The command completed successfully
LSNRCTL> save_config #保存配置
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Old Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.bak
The command completed successfully
LSNRCTL> 

5、测试密码安全设置是否生效（注意：需要reload或重启监听）
LSNRCTL> reload
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
LSNRCTL> 

6、验证监听密码设置是否生效（注意：9i版本的是生效的，这里强调的是10g或11g使用了操作系统认证，监听的密码设置不自动生效）
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
LSNRCTL>
可见，虽然监听设置了密码保护，但是由于11g使用了操作系统认证，监听的密码保护策略没有生效

7、在监听listener.ora配置文件中取消操作系统认证
SID_LIST_ORCL11G=
   (SID_LIST=
(SID_DESC=
          (GLOBAL_DBNAME=ORCL11G)
          (SID_NAME=ORCL11G) 
          (ORACLE_HOME=/oracle/app/oracle/product/11.2.0.3/db)
         (PRESPAWN_MAX=20)
 (PRESPAWN_LIST=
           (PRESPAWN_DESC=(PROTOCOL=tcp)(POOL_SIZE=2)(TIMEOUT=1))
         )
        )
       )

LOCAL_OS_AUTHENTICATION_listener=OFF

#----ADDED BY TNSLSNR 08-JUL-2015 14:00:26---
PASSWORDS_LISTENER = FC996BE8FB638140
#--------------（这里就是监听设置了密码的标识了）------------------------------

8、在listener.ora配置取消操作系统认证后重启监听，重新验证监听密码是否生效
[oracle@orcl11g admin]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 16:10:18
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
TNS-01169: The listener has not recognized the password
[oracle@orcl11g admin]$
可见，密码保护已经生效了

9、数据库监听设置了密码保护后，再管理数据库监听就需要通过lsnrctl 管理控制台使用set命令先设置密码了
[oracle@orcl11g admin]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 08-JUL-2015 16:12:18
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password: 
The command completed successfully
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 16:08:52
Uptime                    0 days 0 hr. 4 min. 21 sec
Trace Level               off
Security                  ON: Password
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Services Summary...
Service "orcl11g" has 1 instance(s).
  Instance "orcl11g", status READY, has 1 handler(s) for this service...
Service "orcl11gXDB" has 1 instance(s).
  Instance "orcl11g", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
The command completed successfully
LSNRCTL> start
Starting /oracle/app/oracle/product/11.2.0.3/db/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 11.2.0.3.0 - Production
System parameter file is /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Log messages written to /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11g)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                08-JUL-2015 16:13:25
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password
SNMP                      OFF
Listener Parameter File   /oracle/app/oracle/product/11.2.0.3/db/network/admin/listener.ora
Listener Log File         /oracle/app/oracle/diag/tnslsnr/orcl11g/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11g)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
LSNRCTL> 

10、重要提示，一旦设置了密码后，需要牢记密码，否则以后管理数据库监听会比较麻烦。

http://blog.itpub.net/519536/viewspace-690203/

【LISTENER】Oracle 10g监听的本地操作系统认证（Local OS Authentication）安全特性

原创 Linux操作系统 作者：secooler 时间：2011-03-22 22:59:34 6791 0

Oracle 10g版本以及之后的版本中推出了监听的本地操作系统认证安全特性，即Local OS Authentication。
这个安全特性简言之：若监听程序是在当前用户下启动的，则当前用户具有管理监听的所有权利，其他用户对监听的管理将受到限制。注意，这里启动和管理监听的用户不一定是oracle用户。
本文将就此特性给出实际验证。

1.查看监听的安全特性
在oracle用户下查看监听状态。
ora10g@secdb /home/oracle$ lsnrctl status

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:04:03

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                21-MAR-2011 22:51:53
Uptime                    0 days 23 hr. 12 min. 9 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully

注意status命令返回的“Security ON: Local OS Authentication”信息，此条提示信息表明监听处于Local OS Authentication认证模式。

2.尝试在非oracle用户下停止监听
从oracle用户切换到操作系统secooler用户。
ora10g@secdb /home/oracle$ su - secooler
Password:
ora10g@secdb /home/secooler$ id
uid=666(secooler) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)

尝试在secooler用户下停止监听程序。
ora10g@secdb /home/secooler$ lsnrctl stop listener

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:01:58

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command

可见，此时返回TNS-01190错误，此条错误便是监听的本地操作系统认证特性在起作用。因为此环境中监听是由oracle用户启动的。

3.尝试非oracle用户启动监听程序
1）在oracle用户中停掉监听程序
ora10g@secdb /home/oracle$ lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:16

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully

2）在secooler用户中启动监听
ora10g@secdb /home/secooler$ lsnrctl

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:24

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> start
Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2011 22:08:10
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully

可见，监听顺利启动，稍等片刻，等待数据库实例动态注册到监听。
在secooler用户下查看监听状态
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2011 22:08:10
Uptime                    0 days 0 hr. 0 min. 20 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully

此时，监听在secooler用户下运行正常。
可以通过ps命令再次确定监听的确是由secooler用户启动的。
ora10g@secdb /home/secooler$ ps -ef | grep -i listener | grep -v grep
secooler  5794     1  0 22:08 ?        00:00:00 /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr LISTENER -inherit

4.回到oracle用户尝试关闭监听
由于此时监听程序是在secooler用户下启动的，根据Local OS Authentication特性，此时oracle用户是无权关闭监听程序的。验证一下。
ora10g@secdb /home/oracle$ lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:27:36

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command

结论得以证实。此时oracle用户无法停止由secooler用户启动的监听程序。

5.被限制的监听操作命令列表
本文是以关闭监听程序为例进行演示的。除了STOP操作之外被限制使用的命令如下所示。
 SAVE_CONFIG, TRACE, SPAWN, RELOAD,

 SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}

 SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON}

在非启动监听用户下执行上述命令均会收到TNS-01190错误。

6.小结
Oracle 10g的本地操作系统认证（Local OS Authentication）安全特性避免了监听管理过程中的混乱现象。在理解了这个特性真实意图后，监听的安全性便有了保证。

Good luck.

secooler
11.03.22

-- The End --
 

扫描二维码关注公众号，回复： 3424410 查看本文章

https://www.linuxidc.com/Linux/2017-01/139921.htm?utm_source=tuicool&utm_medium=referral

我们要不要为Oracle listener设置密码

[日期：2017-01-24]

来源：Linux社区  作者：黎俊杰

[字体：大 中 小]

在各种论坛中，以及一些数据库安全加固规范中，经常还看到有人强列建议为Oracle listener设置密码的说法，最近，笔者在帮一个单位审核所编制的一份oracle安全加固策略时，发现文中仍然在以不分版本情况下要求为listener设置密码。

随着oracle版本的升级变迁，当今运行的oracle数据库，是否真的还需要设置listener密码呢？是否还能在各类标准规范文档中不分版本的区别就直接将listener设置密码作为标准规范之一呢？

1、看看10g以前版本如何远程管理listener

先来看一篇metalink上的文档 ID 460666.1（How To Remotely Administer a Listener），这是一篇关于如何远程管理listener的文章，文章的APPLIES TO部分，指出适应版本为“Oracle Net Services- Version: 8.1.7.4.0 to 9.2.0.8.0”，文章的GOAL部分，指出，在10g以前版本中，listener程序可以管理远程机器的listener，文中还给出在远程客户机器上关闭listener的方法，方法有两种：

第一种：客户端机器上直接以lsnrctl <command><ip_address>:<port>的方式实现，非常简单，如下所示：

lsnrctl status 192.168.1.100

lsnrctl stop 192.168.1.100:1522

--192.168.1.100就是被远程管理的服务器IP地址，1522为其端口

第二种：客户端机器上的listner.ora文件中配置远程机器的listener信息，如下：

Remote_lsnr =

      (DESCRIPTION =

              (ADDRESS =

                    (PROTOCOL = TCP) 

                    (Host = remote host)

                    (Port = listener port) 

      ) 

）

Where "remote host" and "listener port" are the host and port where the remote listener is running.

然后，在客户端机器上，就象管理本地listener方式一样管理远端listener，如：

LSNRCTL> set current_listener Remote_lsnr

LSNRCTL> stop Remote_lsnr

从460666.1这篇文档中，其实已经看出来，在10g以前版本中，为listener设置密码的重要性。

2、再来看一篇8i/9i版本如何防止远程关闭listener的文档

Metalink上的文档 ID 361738.1（How To PreventRemote Shutdown of the Oracle 8i/9i Listener），这是一篇关于如何防止listener被远程关闭的文章，该文中的APPLIES TO中明确指出：

Oracle Net Services - Version: 8.1.5.0.0 to 9.2.0.8.0
 Information in this document applies to any platform.
 This article applies only to listener versions prior to 10g.

该方法，只适合于Version: 8.1.5.0.0 to 9.2.0.8.0，而不适合于10以上版本。

文中SOLUTION中的描述，对于10g以前版本，当然就是为listener设置密码了，这样，远程管理listener时，就必须要输入正确的密码才能完成操作。

3、那么10g以后listener不设置密码还安全吗？

再来看一篇metalink上的文档 ID 364388.1（How To NetworkSecure Your Oracle Database Listener in Intranet / Internet）  ，这篇文档中的SOLUTION中，对于10g以上和11gR2版本对listener password的描述如下：

For 10g and higher listeners, no listener password is needed (starting with 11gr2 listener password is deprecated), instead we are using by default OS authentication mechanism - see  Note 260986.1 Setting Listener Passwords With an Oracle 10g or Newer Listener and Note 1328725.1 Deprecation of Listener Password in Oracle Database 11g Release

在10g以上版本中已经不需要为listener设置password，在11gR2上，更是不赞成与反对设置listener密码，而是采用的默认本地主机操作系统认证。

4、那oracle 10g为什么还要保留change password功能呢。

再来看一篇上文中提到的metalink文档 ID 260986.1（SettingListener Passwords With an Oracle 10g or Newer Listener），这篇文档中的GOAL部分内容：

If the TNSListener is started as the "oracle" user and the user "sales" attempts 
 to administer the listener, or if "oracle" on a different node attempts to 
 administer the listener, the following error will be returned:

TNS-01190: The user is not authorized to execute the requested listener command

当listener是以oracle用户启动时，如果使用OS上的其它用户，例如，使用sales用户来管理listener，如stop等操作，则会遇到”TNS-01190 “ 信息，这时，sales用户需要输入listener的password后才能操作本地listener。

其实也可以控制本地启动listener的用户强制要求使用密码登陆，只需要在listener.ora文件中增加LOCAL_OS_AUTHENTICATION_listener_name = OFF，但是只要是已经登入了OS的管理员或对listener.ora文件有权限的用户，都可以修改该文件去掉该行，所以该操作并不具有意义。

5、oracle 11gR2不赞成与反对再为listener设置密码

再来看一篇Metalink文档 ID 1328725.1 (Deprecationof Listener Password in Oracle Database 11g Release 2) ，这是一篇关于11gR2已经刻弃listener设置密码的文章，该文章中的DETAILS中描述如下：

In Oracle Database 11g Release 2 (11.2), the password feature is being deprecated. This does not cause a loss of security because authentication is enforced through local operating system authentication.

Oracle11gR2废弃listener设置密码，认为已经通过了本地操作系统的认证，所以是安全的。

文中ACTIONS部分列出，如果要使用远程管理listener，只能通过SSH登陆到运行listener的本地主机，通过认证，然后本地管理listener，或使用oracle OEM方式进行管理。

6、oracle 11gR2官方对listener的安全说明与管理方式建议

Local listener administration is secure through local operating system authentication,

which restricts listener administration to the user who started the listener or to the

super user. By default, remote listener administration is disabled.

Oracle recommends that you perform listener administration in the default mode, and

access the system remotely using a remote login. When you administer the listener

remotely, use Oracle Enterprise Manager or Secure Shell (SSH) to access the remote

host.

本地listener管理默认为本地系统认证，这样限制了listener的管理者。默认情况下远程listener程序管理被禁用，建议采用OEM或ssh方式登陆目标端主机后进行管理。