오라클 19c 프로파일 password_life_time password_grace_time 테스트
OS 환경 : Oracle Linux 8.4 (64bit)
DB 환경 : Oracle Database 19.3.0.0
방법 : 오라클 19c 프로파일 password_life_time password_grace_time 테스트
본문에서는 profile의 lifetime 과 gracetime10 를 각각 10일로 설정 후
10일이 경과되어 account_status 가 expired(grace) 로 변경 된 상태에서
해당 유저 profile 의 password_grace_time 를 unlimited 로 변경하는경우 어떻게 되는지를 확인해봄
샘플 프로파일 및 유저 생성
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
SQL>
drop user imsi cascade;
drop profile new_pf;
create profile new_pf limit
password_life_time 10
password_grace_time 10
password_reuse_time 365
password_reuse_max 5
password_lock_time unlimited
failed_login_attempts 10
password_verify_function null;
create user imsi identified by imsi profile new_pf;
grant resource, connect to imsi;
|
유저 상태와 profile 확인
1
2
3
4
5
6
7
8
9
10
11
12
13
|
SQL>
alter session set nls_date_format='yyyy/mm/dd hh24:mi:ss';
set lines 200 pages 1000
col profile for a10
col account_status for a20
col username for a10
select username, account_status, lock_date, sysdate, expiry_date, profile
from dba_users
where username = 'IMSI';
USERNAME ACCOUNT_STATUS LOCK_DATE SYSDATE EXPIRY_DATE PROFILE
---------- -------------------- ------------------- ------------------- ------------------- ----------
IMSI OPEN 2024/10/08 00:30:15 2024/10/18 00:30:08 NEW_PF
|
시스템 시간기준(2024/10/08 00:30:15)으로 10일뒤인 10월 18일에 계정이 만료 될 예정임
OS 날짜 10일 이상 증가 후 db에서 확인
1
2
3
4
5
|
SQL> select sysdate from dual;
SYSDATE
-------------------
2024/10/18 00:31:06
|
10월 18일이됨
샘플 유저 접속 시도
1
2
3
4
5
6
|
SQL> conn imsi/imsi
ERROR:
ORA-28002: the password will expire within 10 days
Connected.
|
10일 뒤에 패스워드가 만료된다고 나옴
유저 상태와 profile 확인
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
SQL>
conn / as sysdba
alter session set nls_date_format='yyyy/mm/dd hh24:mi:ss';
set lines 200 pages 1000
col profile for a10
col account_status for a20
col username for a10
select username, account_status, lock_date, sysdate, expiry_date, profile
from dba_users
where username = 'IMSI';
USERNAME ACCOUNT_STATUS LOCK_DATE SYSDATE EXPIRY_DATE PROFILE
---------- -------------------- ------------------- ------------------- ------------------- ----------
IMSI EXPIRED(GRACE) 2024/10/18 00:31:22 2024/10/28 00:31:16 NEW_PF
|
ACCOUNT_STATUS 가 EXPIRED(GRACE) 로 변경되었음
시스템 시간기준(2024/10/19 00:31:22)으로 10일뒤인 10월 28일에 계정이 만료 될 예정임
password_grace_time unlimited 로 변경
1
2
3
4
5
6
7
8
9
10
11
|
SQL>
alter profile new_pf limit
password_life_time 10
password_grace_time unlimited
password_reuse_time 365
password_reuse_max 5
password_lock_time unlimited
failed_login_attempts 10
password_verify_function null;
Profile altered.
|
OS 날짜 10일 이상 증가 후 db에서 확인
1
2
3
4
5
|
SQL> select sysdate from dual;
SYSDATE
-------------------
2024/10/28 00:34:03
|
10월 28일이됨
샘플 유저 접속 시도
1
2
3
4
5
6
7
8
9
10
|
SQL> conn imsi/imsi
ERROR:
ORA-28011: the password has expired; change your password now
Connected.
SQL> create table test (col1 number);
Table created.
|
패스워드가 만료되었다고 나오고 패스워드를 변경해야한다고 나오지만, 접속되고 테이블 생성 작업도 가능함
유저 상태와 profile 확인
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
SQL>
conn / as sysdba
alter session set nls_date_format='yyyy/mm/dd hh24:mi:ss';
set lines 200 pages 1000
col profile for a10
col account_status for a20
col username for a10
select username, account_status, lock_date, sysdate, expiry_date, profile
from dba_users
where username = 'IMSI';
USERNAME ACCOUNT_STATUS LOCK_DATE SYSDATE EXPIRY_DATE PROFILE
---------- -------------------- ------------------- ------------------- ------------------- ----------
IMSI EXPIRED(GRACE) 2024/10/28 00:34:22 NEW_PF
|
ACCOUNT_STATUS 는 그대로 EXPIRED(GRACE) 임
시스템 시간기준(2024/10/30 00:34:22)으로 언제 만료되는지(EXPIRY_DATE)는 나오지 않음
참고용1
본문 시나리오에서 profile의 password_grace_time 을 unlimited 로 변경 하지 않고 10일 증가시
10일 이후 샘플 유저 접속
1
2
3
4
5
6
7
|
SQL> conn imsi/imsi
ERROR:
ORA-28001: the password has expired
Changing password for imsi
New password:
|
패스워드를 변경하라고 나옴
패스워드 변경을 하지않고 Ctrl+C로 나온뒤 유저 상태 확인
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
SQL>
conn / as sysdba
alter session set nls_date_format='yyyy/mm/dd hh24:mi:ss';
set lines 200 pages 1000
col profile for a10
col account_status for a20
col username for a10
select username, account_status, lock_date, sysdate, expiry_date, profile
from dba_users
where username = 'IMSI';
USERNAME ACCOUNT_STATUS LOCK_DATE SYSDATE EXPIRY_DATE PROFILE
---------- -------------------- ------------------- ------------------- ------------------- ----------
IMSI EXPIRED 2024/10/28 00:53:41 2024/10/28 00:52:10 NEW_PF
|
ACCOUNT_STATUS 가 EXPIRED 로 표시됨
참고용2
패스워드를 모르는 상태에서 유저 패스워드 동일한 패스워드로 변경 방법
패스워드의 spare4 값 확인
1
2
3
4
5
6
7
8
9
10
|
SQL>
set lines 400
select name, spare4 from user$ where name = 'IMSI';
NAME
--------------------------------------------------------------------------------------------------------------------------------
SPARE4
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
IMSI
S:0820FA70872A14E66BB1E0429429B9B36AF2CAF03AD9BB072294D10A0D69;T:927CE70983E7A9FB625862BA5C100B6D59A51DD582AF67C2AE37D3E0268EA55FED9B6A746770CB4F20EEAB66A6EBEC1752919B9AFED807FCDCE2EE10D0B223A02B5D7F45FE0EBFA76501FA4C6D132C29
|
패스워드 변경(identified by values 절 사용)
1
2
3
4
|
SQL> alter user imsi identified by values 'S:0820FA70872A14E66BB1E0429429B9B36AF2CAF03AD9BB072294D10A0D69;T:927CE70983E7A9FB625862BA5C100B6D59A51DD582AF67C2AE37D3E0268EA55FED9B6A746770CB4F20EEAB66A6EBEC1752919B9AFED807FCDCE2EE10D0B223A02B5D7F45FE0EBFA76501FA4C6D132C29';
*
ERROR at line 1:
ORA-28007: the password cannot be reused
|
profile 로 인해 패스워드 재사용이 불가함
이 경우 다른패스워드를 사용하거나
profile 을 임시로 unlimited 로 변경후 변경해야함
기존 profile 백업
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
SQL>
set lines 200 pages 1000
SELECT 'ALTER PROFILE ' || profile || ' LIMIT ' ||
resource_name || ' ' || limit || ';' AS alter_sql
FROM dba_profiles
WHERE profile = 'NEW_PF';
ALTER_SQL
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ALTER PROFILE NEW_PF LIMIT COMPOSITE_LIMIT DEFAULT;
ALTER PROFILE NEW_PF LIMIT SESSIONS_PER_USER DEFAULT;
ALTER PROFILE NEW_PF LIMIT CPU_PER_SESSION DEFAULT;
ALTER PROFILE NEW_PF LIMIT CPU_PER_CALL DEFAULT;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_SESSION DEFAULT;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_CALL DEFAULT;
ALTER PROFILE NEW_PF LIMIT IDLE_TIME DEFAULT;
ALTER PROFILE NEW_PF LIMIT CONNECT_TIME DEFAULT;
ALTER PROFILE NEW_PF LIMIT PRIVATE_SGA DEFAULT;
ALTER PROFILE NEW_PF LIMIT FAILED_LOGIN_ATTEMPTS 10;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LIFE_TIME 10;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_TIME 365;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_MAX 5;
ALTER PROFILE NEW_PF LIMIT PASSWORD_VERIFY_FUNCTION NULL;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LOCK_TIME UNLIMITED;
ALTER PROFILE NEW_PF LIMIT PASSWORD_GRACE_TIME UNLIMITED;
ALTER PROFILE NEW_PF LIMIT INACTIVE_ACCOUNT_TIME DEFAULT;
ALTER PROFILE NEW_PF LIMIT PASSWORD_ROLLOVER_TIME DEFAULT;
|
unlimited profile 구문 출력
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
SQL>
set lines 200 pages 1000
SELECT 'ALTER PROFILE ' || profile || ' LIMIT ' ||
resource_name || ' unlimited;' AS alter_sql
FROM dba_profiles
WHERE profile = 'NEW_PF';
ALTER_SQL
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ALTER PROFILE NEW_PF LIMIT COMPOSITE_LIMIT unlimited;
ALTER PROFILE NEW_PF LIMIT SESSIONS_PER_USER unlimited;
ALTER PROFILE NEW_PF LIMIT CPU_PER_SESSION unlimited;
ALTER PROFILE NEW_PF LIMIT CPU_PER_CALL unlimited;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_SESSION unlimited;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_CALL unlimited;
ALTER PROFILE NEW_PF LIMIT IDLE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT CONNECT_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PRIVATE_SGA unlimited;
ALTER PROFILE NEW_PF LIMIT FAILED_LOGIN_ATTEMPTS unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LIFE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_MAX unlimited;
--ALTER PROFILE NEW_PF LIMIT PASSWORD_VERIFY_FUNCTION unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LOCK_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_GRACE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT INACTIVE_ACCOUNT_TIME unlimited;
--ALTER PROFILE NEW_PF LIMIT PASSWORD_ROLLOVER_TIME unlimited;
|
이중 PASSWORD_VERIFY_FUNCTION 와 PASSWORD_ROLLOVER_TIME 는 unlimited 적용이 바로 안되서 기존이 default 인 경우 default 로 놔둬야함
위 unlimited profile SQL 실행
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
SQL> (unlimited 구문 수행)
ALTER PROFILE NEW_PF LIMIT COMPOSITE_LIMIT unlimited;
ALTER PROFILE NEW_PF LIMIT SESSIONS_PER_USER unlimited;
ALTER PROFILE NEW_PF LIMIT CPU_PER_SESSION unlimited;
ALTER PROFILE NEW_PF LIMIT CPU_PER_CALL unlimited;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_SESSION unlimited;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_CALL unlimited;
ALTER PROFILE NEW_PF LIMIT IDLE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT CONNECT_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PRIVATE_SGA unlimited;
ALTER PROFILE NEW_PF LIMIT FAILED_LOGIN_ATTEMPTS unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LIFE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_MAX unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LOCK_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT PASSWORD_GRACE_TIME unlimited;
ALTER PROFILE NEW_PF LIMIT INACTIVE_ACCOUNT_TIME unlimited;
|
profile 확인
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
SQL>
set lines 200 pages 1000
col limit for a20
SELECT profile, resource_name, limit
FROM dba_profiles
WHERE profile = 'NEW_PF';
PROFILE RESOURCE_NAME LIMIT
------------------------------ -------------------------------- --------------------
NEW_PF COMPOSITE_LIMIT UNLIMITED
NEW_PF SESSIONS_PER_USER UNLIMITED
NEW_PF CPU_PER_SESSION UNLIMITED
NEW_PF CPU_PER_CALL UNLIMITED
NEW_PF LOGICAL_READS_PER_SESSION UNLIMITED
NEW_PF LOGICAL_READS_PER_CALL UNLIMITED
NEW_PF IDLE_TIME UNLIMITED
NEW_PF CONNECT_TIME UNLIMITED
NEW_PF PRIVATE_SGA UNLIMITED
NEW_PF FAILED_LOGIN_ATTEMPTS UNLIMITED
NEW_PF PASSWORD_LIFE_TIME UNLIMITED
NEW_PF PASSWORD_REUSE_TIME UNLIMITED
NEW_PF PASSWORD_REUSE_MAX UNLIMITED
NEW_PF PASSWORD_VERIFY_FUNCTION NULL
NEW_PF PASSWORD_LOCK_TIME UNLIMITED
NEW_PF PASSWORD_GRACE_TIME UNLIMITED
NEW_PF INACTIVE_ACCOUNT_TIME UNLIMITED
NEW_PF PASSWORD_ROLLOVER_TIME DEFAULT
18 rows selected.
|
unlimited 로 변경됨
패스워드 변경(identified by values 절 사용)
1
2
3
|
SQL> alter user imsi identified by values 'S:0820FA70872A14E66BB1E0429429B9B36AF2CAF03AD9BB072294D10A0D69;T:927CE70983E7A9FB625862BA5C100B6D59A51DD582AF67C2AE37D3E0268EA55FED9B6A746770CB4F20EEAB66A6EBEC1752919B9AFED807FCDCE2EE10D0B223A02B5D7F45FE0EBFA76501FA4C6D132C29';
User altered.
|
정상적으로 변경됨
profile 롤백
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
SQL> (백업해놓은 구문 수행)
ALTER PROFILE NEW_PF LIMIT COMPOSITE_LIMIT DEFAULT;
ALTER PROFILE NEW_PF LIMIT SESSIONS_PER_USER DEFAULT;
ALTER PROFILE NEW_PF LIMIT CPU_PER_SESSION DEFAULT;
ALTER PROFILE NEW_PF LIMIT CPU_PER_CALL DEFAULT;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_SESSION DEFAULT;
ALTER PROFILE NEW_PF LIMIT LOGICAL_READS_PER_CALL DEFAULT;
ALTER PROFILE NEW_PF LIMIT IDLE_TIME DEFAULT;
ALTER PROFILE NEW_PF LIMIT CONNECT_TIME DEFAULT;
ALTER PROFILE NEW_PF LIMIT PRIVATE_SGA DEFAULT;
ALTER PROFILE NEW_PF LIMIT FAILED_LOGIN_ATTEMPTS 10;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LIFE_TIME 10;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_TIME 365;
ALTER PROFILE NEW_PF LIMIT PASSWORD_REUSE_MAX 5;
ALTER PROFILE NEW_PF LIMIT PASSWORD_VERIFY_FUNCTION NULL;
ALTER PROFILE NEW_PF LIMIT PASSWORD_LOCK_TIME UNLIMITED;
ALTER PROFILE NEW_PF LIMIT PASSWORD_GRACE_TIME UNLIMITED;
ALTER PROFILE NEW_PF LIMIT INACTIVE_ACCOUNT_TIME DEFAULT;
ALTER PROFILE NEW_PF LIMIT PASSWORD_ROLLOVER_TIME DEFAULT;
|
샘플 유저 접속 시도
1
2
|
SQL> conn imsi/imsi
Connected.
|
정상적으로 접속됨
유저 상태와 profile 확인
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
SQL>
conn / as sysdba
alter session set nls_date_format='yyyy/mm/dd hh24:mi:ss';
set lines 200 pages 1000
col profile for a10
col account_status for a20
col username for a10
select username, account_status, lock_date, sysdate, expiry_date, profile
from dba_users
where username = 'IMSI';
USERNAME ACCOUNT_STATUS LOCK_DATE SYSDATE EXPIRY_DATE PROFILE
---------- -------------------- ------------------- ------------------- ------------------- ----------
IMSI OPEN 2024/10/28 00:50:04 2024/11/07 00:48:48 NEW_PF
|
결론 :
프로파일에서 password_life_time과 password_grace_time을 10일로 설정했을 때,
사용자의 비밀번호가 만료되기 전에 10일 동안 경고를 표시하고 EXPIRED(GRACE) 상태로 전환됨
이 상태에서는 접속 시 경고 메시지가 뜨며, 사용자에게 비밀번호를 변경하라는 요청이 발생함
하지만 password_grace_time을 unlimited로 변경하면, 비밀번호가 만료된 상태에서도 EXPIRED(GRACE)로 유지되고
비밀번호를 즉시 변경하지 않아도 계속해서 계정에 접속 가능함
이때도 비밀번호가 만료되어 변경이 필요하다는 메시지가 뜨지만, 데이터베이스 내에서 테이블 생성 등 작업을 정상적으로 수행할 수 있음
참조 :
https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/DBA_USERS.html
https://positivemh.tistory.com/831