Tag Archives: password

Fixing access denied error from Linux Server

June 16, 2013 Larry Catt Leave a comment

You attempt to access a remote Linux machine and receive the following error after logon attempt with correct username/password combination. This indicates that the machine is not accepting password authentication as an access method. To resolve this issue, perform the following change to sshd_config file as follows:

Error:

login as: root

root@192.168.1.220’s password:

Access denied

root@192.168.1.220’s password:

Steps to resolve this issue:

Logon directly to Linux console as the root user.
Change directory to /etc/ssh

[root@oel1 ~]# cd /etc/ssh

Open the file sshd_config

[root@oel1 ssh]# vi sshd_config

Change the line <PasswordAuthentication no> to read <PasswordAuthentication yes>
Stop the sshd service

[root@oel1 ssh]# service sshd stop

Stopping sshd: [ OK ]

[root@oel1 ssh]#

Start the sshd service

[root@oel1 ssh]# service sshd start

Starting sshd: [ OK ]

[root@oel1 ssh]#

Attempt to connect with username / password combination.

[root@oel1 ssh]# ssh 192.168.1.220

The authenticity of host ‘192.168.1.220 (192.168.1.220)’ can’t be established.

RSA key fingerprint is 74:e4:db:67:e9:7e:81:6f:dc:16:1d:06:25:7e:20:ae.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.1.220’ (RSA) to the list of known hosts.

Password:

Last login: Thu Oct 3 11:09:46 2013 from 192.168.1.78

[root@oel1 ~]#

You have successfully logon with username and password.

Larry Catt

11g, Oracle, Oracle 10g, oracle 9i

Securing Oracle Listener with a password:

February 21, 2010 Larry Catt Leave a comment

Normally, connection to an Oracle database is performed through the use of an Oracle LISTENER process which monitors a specific machine and port for request to connect to a one or more database instances. The LISTENER process is control by a utility named LSNRCTL which is located under $ORACLE_HOME/bin. The listener provides the main connection access to most Oracle database systems, thus if it is tempered with, it could prevent use of your database even though the RDBMS is up and running fine. In this article we will review password protecting your oracle LISTENER from unauthorized shutdown. This article was written using LINUX but will work just as well on any OS.

1. Logon to your Oracle database server as the Oracle software owner, switch directories to your $ORACLE_HOME/network/admin and view the file listener.ora with your chose of editor.

mylinux:> cd $ORACLE_HOME/network/admin
mylinux:> cat listener.ora
# LISTENER.ORA Network Configuration File:
/opt/app/oracle/10.2.0/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER_ORCL =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.0.110)(PORT = 1521))
)
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
)
)
)

SID_LIST_LISTENER_ORCL =
(SID_LIST =
(SID_DESC =
(SID_NAME = orcl)
(ORACLE_HOME = /opt/app/oracle/10.2.0)
)

(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /opt/app/oracle/10.2.0)
(PROGRAM = extproc)
)
)

mylinux:>

NOTE: There exists no tag for PASSWORDS_{listener_name} = {new_password} which has not been established yet.

2. Exit the listener.ora file and startup the lsnrctl utility.

mylinux:> lsnrctl

LSNRCTL for LINUX: Version 10.2.0.4.0 – Production on 21-FEB-2010 16:30:52

Copyright (c) 1991, 2007, Oracle. All rights reserved.

Welcome to LSNRCTL, type “help” for information.

LSNRCTL>

3. If you are not using the default name of the Oracle listener (LISTENER) then define the Oracle listener name with the following command: set current_listener {listener_name}

LSNRCTL> set current_listener listener_orcl
Current Listener is listener_orcl
LSNRCTL>

4. If your oracle listener is not currently running, start it up with the command: start

LSNRCTL> start
Starting /opt/app/oracle/10.2.0/bin/tnslsnr: please wait…

TNSLSNR for LINUX: Version 10.2.0.4.0 – Production
System parameter file is /opt/app/oracle/10.2.0/network/admin/listener.ora
Log messages written to
/opt/app/oracle/10.2.0/network/log/listener_orcl.log
Listening on:
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.110)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))

Connecting to
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.110)(PORT=1521)))
STATUS of the LISTENER
————————
Alias listener_orcl
Version TNSLSNR for LINUX: Version 10.2.0.4.0 – Production
Start Date 21-FEB-2010 16:32:55
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/app/oracle/10.2.0/network/admin/listener.ora
Listener Log File
/opt/app/oracle/10.2.0/network/log/listener_orcl.log
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.110)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
Services Summary…
Service “PLSExtProc” has 1 instance(s).
Instance “PLSExtProc”, status UNKNOWN, has 1 handler(s) for this service…
Service “orcl” has 1 instance(s).
Instance “orcl”, status UNKNOWN, has 1 handler(s) for this service…
The command completed successfully
LSNRCTL>

5. To set a password for your listener execute the following lsnrctl command: change_password

NOTE: Hit return when asked for current password if none is set.

LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.110)(PORT=1521)))
Password changed for listener_orcl
The command completed successfully
LSNRCTL>

6. Save the changes made in the LSNRCTL utility with the command: save_config

LSNRCTL> save_config
Connecting to
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.110)(PORT=1521)))
Saved listener_orcl configuration parameters.
Listener Parameter File /opt/app/oracle/10.2.0/network/admin/listener.ora
Old Parameter File /opt/app/oracle/10.2.0/network/admin/listener.bak
The command completed successfully
LSNRCTL>

7. Exit out of lsnrctl utility and open up the file listener.ora with you chose of editor.

LSNRCTL> exit
mylinux:> cat listener.ora
# LISTENER.ORA Network Configuration File:
/opt/app/oracle/10.2.0/network/admin/listener.ora
# Generated by Oracle configuration tools.

#—-ADDED BY TNSLSNR 21-FEB-2010 16:37:01—
PASSWORDS_listener_orcl = 1DF5C2FD0FE9CFA2
#——————————————–
mylinux:>

NOTE: The tag PASSWORDS_{listener_name} = {new_password} has been added to the file listener.ora and the password is encrypted so it will not look like what you typed. You can shutdown you listener with the password string you original entered or the encrypted string. However, without the password you will not be able to shutdown the LISTENER process.

This completes securing oracle listener with a password.

Larry J. Catt, OCP 9i, 10g
oracle@allcompute.com
www.allcompute.com

11g, Oracle, Oracle 10g, oracle 9i

Oracle – Adding DBA user to password file:

October 18, 2009 Larry Catt Leave a comment

Oracle provides for a normal DBA user account to remotely connect to a database with SYSDBA privileges through the use of a password file. This article will cover granting a normal DBA user the SYSDBA privilege which in turn adds the user to the password file for that database.
This allows the user to connect remotely to the database for the purpose of shutting down the database and starting the database.
This procedure will work on any OS.

1. From a remote machine, not your Oracle database server, attempt to connect as SYSDBA to your database with an account which has DBA privileges.

C:\> sqlplus ljcatt/password5@oracle as SYSDBA

SQL*Plus: Release 10.2.0.1.0 – Production on Sun Oct 18 13:32:27 2009

Copyright (c) 1982, 2005, Oracle. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

Enter user-name:

Now attempt to connect without specifying SYSDBA privilege.

C:\> sqlplus ljcatt/password5@oracle

SQL*Plus: Release 10.2.0.1.0 – Production on Sun Oct 18 13:34:27 2009

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>

2. The reason this fails with insufficient privileges at first, is because the user LJCATT is not recorded in the database password file for remote access with SYSDBA privilege. The following steps outline how to add the user LJCATT to the remote access password file.

3. Logon to your Oracle database server as the Oracle software owner.

4. Logon to SQLPLUS with SYSDBA privileges.

mylinux :> sqlplus ‘/ as SYSDBA’

SQL*Plus: Release 10.2.0.4.0 – Production on Sun Oct 18 13:42:31 2009

Copyright (c) 1982, 2007, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>

5. Verify that you are using a password file by ensuring that the init parameter REMOTE_LOGIN_PASSWORDFILE is set to exclusive or shared.

SQL> show parameter password

NAME TYPE VALUE
———————————— ———– ——————
REMOTE_LOGIN_PASSWORDFILE string EXCLUSIVE
SQL>

6. If the REMOTE_LOGIN_PASSWORDFILE init parameter is set to NONE, adjust it to EXCLUSIVE or SHARED.

7. In SQLPLUS, grant the privilege SYSDBA to LJCATT.

SQL> grant SYSDBA to ljcatt;

Grant succeeded.

SQL>

8. Now, the user LJCATT has been added to the password file. From a remote machine, not your Oracle database server, attempt to connect to your database with the account LJCATT with SYSDBA.

C:\> sqlplus ljcatt/password5@oracle as SYSDBA

SQL*Plus: Release 10.2.0.1.0 – Production on Sun Oct 18 13:59:08 2009

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>

This completes adding a user to the remote password file for access as SYSDBA from a remote connection.

Larry J. Catt, OCP 9i, 10g
oracle@allcompute.com
www.allcompute.com

11g, Oracle, Oracle 10g, oracle 9i

Oracle Use of the oracle utility orapwd:

October 10, 2009 Larry Catt Leave a comment

In the administration of an Oracle database there are times when we will have to create a new password file due to corruption, lack of space for administrators, or new database creation. Oracle provides the utility ORAPWD to accomplish such a task. This article will cover the use of the utility ORAPWD to create a new password file and implementation for remote connection to the oracle database. This procedure will work on any OS.

1. Logon to your Oracle database server as the Oracle software owner.

2. Navigate to the following directory $ORACLE_HOME/dbs and list the file orapw* to check if a password file already exists for this instance.

mylinux :> cd $ORACLE_HOME/dbs
mylinux :> ls -lrt
total 272
-rw-r–r– 1 oracle dba 3979 Jan 27 18:54 initorcl.ora
-rw-r—– 1 oracle dba 5120 Mar 13 13:49 spfileorcl.ora
mylinux :>

3. No password file is listed, so we can proceed to step 4. In this example our SID is ORCL if we located a file of the orapworcl, we would have to rename it with the following command:

mv orapworcl orapworcl_bak

4. Now we are ready to execute the ORAPWD utility to create our oracle password file. The ORAPWD utility has the following three options:

file – name of the password file, default format is orapw{SID} located in directory $ORACLE_HOME/dbs

password – Password for the SYS user.

entries – Number of distinct DBA users who can be placed in the file.

IE orapwd file=$ORACLE_HOME/dbs/orapworcl password=password1 entries=5

5. Execute the ORAPWD command.

mylinux :>orapwd file=./orapworacle password=password1 entries=5
mylinux :>

6. Execute the ls command to see the new password file.

mylinux :> ls orapw*
orapworcl
mylinux :>

7. Enter SQLPLUS with SYSDBA privileges.

mylinux :> sqlplus ‘/ as SYSDBA’

SQL*Plus: Release 10.2.0.4.0 – Production on Sat Oct 10 10:18:48 2009

Copyright (c) 1982, 2007, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>

8. Ensure that the init parameter REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE through the use of the show command.

SQL> show parameter REMOTE_LOGIN_PASSWORDFILE

NAME TYPE VALUE
———————————— ———– ———-
REMOTE_LOGIN_PASSWORDFILE string EXCLUSIVE
SQL>

9. If the parameter was something other then EXCLUSIVE, use the alter system command to change it to exclusive and restart the database.

Now you can access the database remotely as the user SYS by giving the password used in the ORAPWD utility.

Larry J. Catt, OCP 9i, 10g
oracle@allcompute.com
www.allcompute.com

11g, Oracle, Oracle 10g, oracle 9i

ORA-28046: Password change for SYS disallowed:

October 4, 2009 Larry Catt Leave a comment

Oracle provides the use of a password file and initialization parameters in order to control who can access the database with SYSDBA privileges. The error ORA-28046 is a result of using a single password file and the initialization parameters to access multiple databases with only one file. When the password file is used in this fashion, the ability to dynamically change the SYS password with the command “alter user” is disabled. In this procedure we will review how to change the SYS password after receiving this error.

1. Logon to your Oracle database server as the Oracle software owner.

2. Enter SQLPLUS as SYSDBA.

mylinux :> sqlplus ‘/ as SYSDBA’

SQL*Plus: Release 10.2.0.4.0 – Production on Sun Oct 04 11:39:34 2009

Copyright (c) 1982, 2007, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>

3. Attempt to change the SYS user password.

SQL> alter user sys identified by password1;
alter user sys identified by password1
*
ERROR at line 1:
ORA-28046: Password change for SYS disallowed

SQL>

NOTE: The alter user command failed.

4. Show the current definition of the initialization parameter
REMOTE_LOGIN_PASSWORDFILE with the SQLPLUS command show.

SQL> show parameter REMOTE_LOGIN_PASSWORDFILE

NAME TYPE VALUE
———————————— ———– —————-
REMOTE_LOGIN_PASSWORDFILE string SHARED
SQL>

NOTE: The current REMOTE_LOGIN_PASSWORDFILE is set to SHARED which disallows changing of the SYS password.

4. The initialization parameter REMOTE_LOGIN_PASSWORDFILE is not dynamic and thus we need to change its value and restart the database.

SQL> alter system set REMOTE_LOGIN_PASSWORDFILE=exclusive scope=spfile;

System altered.

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup open
ORACLE instance started.

Total System Global Area 1207959552 bytes
Fixed Size 2068728 bytes
Variable Size 654315272 bytes
Database Buffers 503316480 bytes
Redo Buffers 48259072 bytes
Database mounted.
Database opened.
SQL>

5. Now, show the current value of REMOTE_LOGIN_PASSWORDFILE.

SQL> show parameter REMOTE_LOGIN_PASSWORDFILE

NAME TYPE VALUE
———————————— ———– ————
REMOTE_LOGIN_PASSWORDFILE string EXCLUSIVE
SQL>

6. Re-execute the “ALTER USER” command to change SYS’s password and you will see that the command was successful.

SQL> alter user SYS identified by password1;

User altered.

SQL>

7. Change the REMOTE_LOGIN_PASSWORDFILE init parameter back to SHARED and restart the database.

SQL> alter system set REMOTE_LOGIN_PASSWORDFILE=shared scope=spfile;

System altered.

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup open
ORACLE instance started.

Total System Global Area 1207959552 bytes
Fixed Size 2068728 bytes
Variable Size 654315272 bytes
Database Buffers 503316480 bytes
Redo Buffers 48259072 bytes
Database mounted.
Database opened.
SQL>

8. Now, show the current value of REMOTE_LOGIN_PASSWORDFILE.

SQL> show parameter REMOTE_LOGIN_PASSWORDFILE

NAME TYPE VALUE
———————————— ———– ———–
REMOTE_LOGIN_PASSWORDFILE string SHARED
SQL>

This completes changing of SYS password when the init parameter
REMOTE_LOGIN_PASSWORDFILE is set to SHARED.

Larry J. Catt, OCP 9i, 10g
oracle@allcompute.com
www.allcompute.com

11g, Oracle, Oracle 10g, oracle 9i

Oracle REMOTE_LOGIN_PASSWORDFILE initialization parameter:

September 10, 2009 Larry Catt Leave a comment

Oracle RDBMS controls access to the database with the privilege “SYSDBA” through the use of a password file and the initialization parameter REMOTE_LOGIN_PASSWORDFILE. The initialization parameter REMOTE_LOGIN_PASSWORDFILE is normally misunderstood in controlling privileged access to the database, thus leaving our database vulnerable. In this article we will discuss setting of this parameter and how to use it with a password file.

The possible setting of the REMOTE_LOGIN_PASSWORDFILE are:

EXCLUSIVE = This is the default setting for the initialization parameter REMOTE_LOGIN_PASSWORDFILE. ORACLE will use a password file to verify the credentials of a user trying to connect with SYSDBA privileges. The password file cannot be share amongst multiple databases. The password file can contain passwords for any user whom has SYSDBA privileges. The file for an exclusive password is of the format: orapw{SID}.

SHARED = ORACLE will use a password file to verify the credentials of a user trying to connect with SYSDBA privileges. The password file can be share amongst multiple databases on the same server or multiple database instances in a RAC configuration. The password for SYS in a shared password file cannot be modified.

NONE = No password file is used.

Larry Catt, OCP 9i, 10g
oracle@allcompute.com
www.allcompute.com

Catt Solutions

Tag Archives: password

Fixing access denied error from Linux Server

Securing Oracle Listener with a password:

Oracle – Adding DBA user to password file:

Oracle Use of the oracle utility orapwd:

ORA-28046: Password change for SYS disallowed:

Oracle REMOTE_LOGIN_PASSWORDFILE initialization parameter:

Oracle tips and tricks.