Unlock the user without changing the user password

Unlock the user without changing the user password

 

1.0 requirements: a user is notified, unable to log in, the user is locked, but the password is unknown or not told to you

 

1.1 : User is locked out: several possibilities

A user uses the default Pfile profile with parameters:

-- PASSWORD_LIFE_TIME 180 Password valid retention time

User B uses the default Pfile profile with parameters:

-- FAILED_LOGIN_ATTEMPTS 10 The number of login attempts allowed after a failed login

-- PASSWORD_LOCK_TIME 1 After the login fails, the limit is exceeded, and the account is locked for days

Custom settings used by C users: not considered in this experiment

 

1.2 Fault Simulation

#Create test user

SQL> create user yang identified by asfqr1rfa10;

# lock user

SQL> alter user yang account lock;

 

#PL/SQL login error

 

SQL*Plus login error

SQL> conn yang/asfqr1rfa10; 

ERROR:

HOUR-28000:

Warning: You are no longer connected to ORACLE.

#Query error explanation

SQL> !oerr ora 28000

28000, 00000, "the account is locked"

// *Cause:   The user has entered wrong password consequently for maximum

//           number of times specified by the user's profile parameter

//           FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account

// *Action:  Wait for PASSWORD_LOCK_TIME or contact DBA

#If the wrong password is entered, the user will be locked if the number of times of wrong input is exceeded

#DBA Lock Please contact DBA

 

1.3 Solutions

1.3.1 Query information

# SQL> alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss';

SQL>  select USERNAME,PASSWORD,ACCOUNT_STATUS,LOCK_DATE,PROFILE from dba_users where username ='YANG';

YANG         users

LOCKED      _

2018-01-14 01:25:21    Lock time

DEFAULT    profile default

 

1.3.2 Query the hash value of the user password 

SQL>select name,password from user$ where name='YANG'

 

NAME       PASSWORD

---------- ------------------------------------------------------------

YANG BF382C1C900CB086

 

1.3.2 Use the password hash value to unlock the user without changing the password

SQL> alter user yang identified by values 'BF382C1C900CB086' account unlock;

 

1.3.3 Verification

SQL> conn yang/asfqr1rfa10

Connected.

 

1.3.4 Set the password to never expire

Default profile expires in 180 days, profile parameters can be modified

#Query user account password expiration time

SQL>  alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss';

SQL>  select username,expiry_date from dba_users where username in('HR','YANG');

USERNAME                                                     EXPIRY_DATE

------------------------------------------------------------ -------------------

THE 2018-07-13 01:49:18

HR                                                           2018-07-12 06:09:24

 

SQL> select sysdate from dual;

2018-01-14 01:55:04

 

#Modify unlimited OK

alter profile default limit password_life_time unlimited;

 

#Query verification

SQL> select username,expiry_date from dba_users where username in('HR','YANG');

 

USERNAME   EXPIRY_DATE

---------- -------------------

WHICH

HR

 

#Extension : You can modify the above: After the password is incorrectly logged in, the number of connection attempts is allowed, and the modification is unlimited: be careful