Due to the misconception about the AS SYSDBA login allowed with any username, this post wants to avoid the panic associated with the wrong assumption that it is a security breach that you can login with any username AS SYSDBA while in fact, you are O/S authenticated.
A user is able to connect AS SYSDBA/SYSOPER using the following authentication methods:
1. Operating System authentication (explicit) syntax:
SQL> CONNECT / AS SYSDBA
SQL> CONNECT / AS SYSOPER
2. Passwordfile authentication syntax:
SQL> CONNECT username/password[@TNS_ALIAS] AS SYSDBA
SQL> CONNECT username/password[@TNS_ALIAS] AS SYSOPER
If Operating System authentication is configured and an OS user is a member of the special groups OSDBA or OSOPER then the OS user does not have to provide any credentials while connecting to the database as SYSDBA or AS SYSOPER from the RDBMS Server host machine when using the Bequeath (BEQ) protocol. As long as the session is not established through the listener the OS Authentication will be used and the credentials provided will be ignored. This means that the users who are able to use the OS authentication can use any username and any password to connect to the database locally on the RDBMS Server:
Using the following syntax:
SQL> connect any_username/any_password AS SYSDBA
SQL> connect / AS SYSDBA
gets you connected as long as the operating system user is part of the OSDBA or OSOPER groups. If you have configured the OS Authentication then you SHOULD control strictly who are the members of :
- the ‘OSDBA‘ or ‘OSOPER‘ groups on Unix (defined in $ORACLE_HOME/lib/config.[cs])
- the ‘ORA_[sid]_DBA‘ or ‘ORA_DBA‘ groups on NT.
Frequently Asked Querstions
1) My password is correct, or isn’t it?
As a side phenomenon, from the support practice, some users report ora-1017 for remote sysdba connections, assuming a certain password is correct ‘because it works when connected to the host directly’ when they did:
sql> connect sys/somepassword as sysdba
while in fact ‘somepassword’ is incorrect and the ora-1017 was justified. Please consider this possible misconception before reporting problems.
2) To what database am I connected anyway?
Be aware that if you connect to a remote database as a normal user, and you subsequently do: connect / as sysdba the sqlplus client will not attempt to connect you to the same remote database, but the local one. If you are not sure to what database you are connected, run this query:
SQL> SELECT NAME FROM V$DATABASE;
Adding Users to Oracle Passwordfile (Oracle Passwordfile Authentication)