[20180316]改变oracle用户口令时限.txt

[20180316]改变oracle用户口令时限.txt

--//昨天看了一篇blog,Stop password for user accounts expiring on Exadata,链接:
--//https://blog.zeddba.com/2018/03/14/stop-password-for-user-accounts-expiring-on-exadata/
--//里面提到oracle用户的口令时限,关于这个问题实际上我已经在以前遭遇到这个问题.直接结果导出
--//cron无法正常运行,自己也做一个记录:

#  chage -l oracle
Last password change                                    : Aug 21, 2015
Password expires                                        : May 16, 2018
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 1
Maximum number of days between password change          : 999
Number of days of warning before password expires       : 7

--//实际上我已经修改过1次,要到2018/5/16号到期.

SCOTT@book> select to_date('2015/8/21','yyyy/mm/dd')+999 dd from dual ;
DD
-------------------
2018-05-16 00:00:00

--//正好一致.可以看看grid用户,我没有修改的情况:
#  chage -l grid
Last password change                                    : Oct 10, 2014
Password expires                                        : Jul 05, 2017
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 1
Maximum number of days between password change          : 999
Number of days of warning before password expires       : 7

--//可以发现grid用户口令早已经到期.作者提供修改建议:
The manual page for chage explains the switches:

-d, --lastday LAST_DAY
Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in
the format YYYY-MM-DD (or the format more commonly used in your area). If the LAST_DAY is set to 0 the user is forced
to change his password on the next log on.

-E, --expiredate EXPIRE_DATE
Set the date or number of days since January 1, 1970 on which the user's account will no longer be accessible. The date
may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). A user whose account is
locked must contact the system administrator before being able to use the system again.

Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.

-m, --mindays MIN_DAYS
Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the
user may change his/her password at any time.

-M, --maxdays MAX_DAYS
Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current
day, the user will be required to change his/her password before being able to use his/her account. This occurrence can
be planned for in advance by use of the -W option, which provides the user with advance warning.

Passing the number -1 as MAX_DAYS will remove checking a password's validity.

#  chage -d 9999 -E -1 -m 0 -M -1 oracle
#  chage -l oracle
Last password change                                    : May 18, 1997
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : -1
Number of days of warning before password expires       : 7

--//这样永远不会到期.感到奇怪的-d参数:
-d, --lastday LAST_DAY
Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in
the format YYYY-MM-DD (or the format more commonly used in your area). If the LAST_DAY is set to 0 the user is forced
to change his password on the next log on.

SCOTT@book> select to_date('1970/1/1','yyyy/mm/dd')+9999 dd from dual ;
DD
-------------------
1997-05-18 00:00:00

--//实际上这些与安全等保相互矛盾的.我不知道我们团队是否知道.其实我上次已经跟实施等保人员讲了这方面问题.
--//我不知道我们团队的开发如何监测与管理的,对于这样的团队真心失望.
--//你要限制口令时限,必须要知道它可能带来的后果.