The Geek Diary

Why Can I Login AS SYSDBA With Any Username and Password

by

Due to the misconception about the AS SYSDBA login allowed with any username, this post wants to avoid the panic associated with the wrong assumption that it is a security breach that you can login with any username AS SYSDBA while in fact, you are O/S authenticated.

A user is able to connect AS SYSDBA/SYSOPER using the following authentication methods:

1. Operating System authentication (explicit) syntax:

SQL> CONNECT / AS SYSDBA

or

SQL> CONNECT / AS SYSOPER

2. Passwordfile authentication syntax:

SQL> CONNECT username/password[@TNS_ALIAS] AS SYSDBA

or

SQL> CONNECT username/password[@TNS_ALIAS] AS SYSOPER

If Operating System authentication is configured and an OS user is a member of the special groups OSDBA or OSOPER then the OS user does not have to provide any credentials while connecting to the database as SYSDBA or AS SYSOPER from the RDBMS Server host machine when using the Bequeath (BEQ) protocol. As long as the session is not established through the listener the OS Authentication will be used and the credentials provided will be ignored. This means that the users who are able to use the OS authentication can use any username and any password to connect to the database locally on the RDBMS Server:

Using the following syntax:

SQL> connect any_username/any_password AS SYSDBA

or

SQL> connect / AS SYSDBA

gets you connected as long as the operating system user is part of the OSDBA or OSOPER groups. If you have configured the OS Authentication then you SHOULD control strictly who are the members of :

  • the ‘OSDBA‘ or ‘OSOPER‘ groups on Unix (defined in $ORACLE_HOME/lib/config.[cs])
  • the ‘ORA_[sid]_DBA‘ or ‘ORA_DBA‘ groups on NT.
Note: If both OS Authentication And Passwordfile Authentication are configured and the connection is initiated from the RDBMS Server host machine using the bequeath protocol then the OS authentication will be used. A special case exists in Windows Domains if a Windows Domain user is a member of the ORA_DBA group on multiple database host machines in the same domain, this privilege will span multiple hosts and databases.

Frequently Asked Querstions

1) My password is correct, or isn’t it?

As a side phenomenon, from the support practice, some users report ora-1017 for remote sysdba connections, assuming a certain password is correct ‘because it works when connected to the host directly’ when they did:

sql> connect sys/somepassword as sysdba

while in fact ‘somepassword’ is incorrect and the ora-1017 was justified. Please consider this possible misconception before reporting problems.

2) To what database am I connected anyway?

Be aware that if you connect to a remote database as a normal user, and you subsequently do: connect / as sysdba the sqlplus client will not attempt to connect you to the same remote database, but the local one. If you are not sure to what database you are connected, run this query:

SQL> SELECT NAME FROM V$DATABASE;
How to Create the Oracle Password File using orapwd Command
Adding Users to Oracle Passwordfile (Oracle Passwordfile Authentication)

You May Also Like