1. Problem Description:
Production environment, zabbix alarm business user's password is about to expire, but do not know how the case of business users passwords down to solve the problem?
2. Experiment 1:
1) Create a new user test, and test resource roles and grants permission to connect, and test the connection test users
SYS@PROD4 >create user test identified by test;
User created.
SYS@PROD4 >grant resource to test;
Grant succeeded.
SYS@PROD4 >grant connect to test;
Grant succeeded.
SYS@PROD4 >conn test/test;
Connected.
2) Check test user's status (open),
TEST@PROD4 >conn / as sysdba
Connected.
SYS@PROD4 >set linesize 200 pagesize 200
SYS@PROD4 >col username for a10
SYS@PROD4 >select username,password,account_status,lock_date,expiry_date,created,password_versions from dba_users where username='SCOTT';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- --- --------------------------- -------------------------------- --------- --------- --------- --------
TEST OPEN 20-AUG-20 22-FEB-20 10G 11G
3)锁定test用户,并验证
SYS@PROD4 >alter user test account lock;
User altered.
SYS@PROD4 >select username,password,account_status,lock_date,expiry_date,created,password_versions from dba_users where username='TEST';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- ------------------------------ -------------------------------- --------- --------- --------- --------
TEST LOCKED 22-FEB-20 20-AUG-20 22-FEB-20 10G 11G
SYS@PROD4 >conn test/test;
ERROR:
ORA-28000: the account is locked
Warning: You are no longer connected to ORACLE.
@ >conn / as sysdba
Connected.
4)查看ora 28000报错
SYS@PROD4 >!oerr ora 28000
28000, 00000, "the account is locked"
// *Cause: The user has entered wrong password consequently for maximum
// number of times specified by the user's profile parameter
// FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account
// *Action: Wait for PASSWORD_LOCK_TIME or contact DBA
5) Check test hash value of the user's password in user $ in
the SYS @ PROD4> SELECT name, password from user $ WHERE name = 'the TEST';
NAME PASSWORD
---------------- ------------------------------ --------------
the TEST 7A0F2B316C212D67
5) by using the hash value of the user scott unlock
the SYS @ PROD4> User Test IDENTIFIED by ALTER values '7A0F2B316C212D67' Account UNLOCK;
the User Altered.
6) using the original user password test connection scott
the SYS @ PROD4> Conn Test / Test;
. Connected
the TEST @ PROD4> Show User;
the USER IS "the TEST"
Conclusion: do not know the password, the user can query the password hash value, unlock the user, without changing the password
Test two:
1) Check the hash of the user password scott
the TEST @ PROD4> Conn / AS SYSDBA
Connected.
The SYS @ PROD4> SELECT name, password from User $ WHERE name = 'SCOTT';
NAME PASSWORD
----------- ------------------------------ -------------------
SCOTT F894844C34402B67
2)查看scott用户的过期时间
SYS@PROD4 >set linesize 200 pagesize 200
SYS@PROD4 >select username,password,account_status,lock_date,expiry_date,created,password_versions from dba_users where username='SCOTT';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- ------------------------------ -------------------------------- --------- --------- --------- --------
SCOTT OPEN 07-AUG-20 18-SEP-11 10G 11G
3) using the hash of the user password scott user resets the expiration time
SYS@PROD4 >alter user SCOTT identified by values 'F894844C34402B67';
User altered.
4) View scott user's password expiration time (discovery has been reset)
the SYS @ PROD4> SELECT username, password, ACCOUNT_STATUS, lock_date, EXPIRY_DATE, Created, PASSWORD_VERSIONS from DBA_USERS WHERE username = 'SCOTT';
USERNAME PASSWORD ACCOUNT_STATUS LOCK_DATE EXPIRY_DA CREATED PASSWORD
---------- ------------------------------ ---------- ---------------------- --------- --------- ----------- -------
SCOTT-20 is the AUG-20 is the OPEN-18 is the SEP. 11-1OG
. 5) to verify whether the original password scott user can log in using
@> Conn scott / Tiger;
. Connected
SCOTT @ PROD4> Show user;
the uSER IS " SCOTT "
Conclusion: You can not know the password in the situation, reset the user's password is valid