Due to the misconception about the AS SYSDBA login allowed with any username, this FAQ wants to avoid the panic associated with the wrong assumption that it is a security breach that you can login with any username AS SYSDBA while in fact you are O/S authenticated.
2. Passwordfile authentication syntax
SQL> CONNECT username/password[@TNS_ALIAS] AS SYSDBA
or
SQL> CONNECT username/password[@TNS_ALIAS] AS SYSOPER
If you have configured the Operating System authentication and an OS user is a member of the special groups OSDBA or OSOPER then the OS user does not have to provide any credentials while connecting to the database as SYSDBA or AS SYSOPER from the RDBMS Server host machine when using the bequeath protocol. As long as the session is not established through the listener the OS Authentication will be used and the credentials provided will be ignored. This means that the users who are able to use the OS authentication can use any username and any password to connect to the database locally on the RDBMS Server:
Using the following syntax:
SQL> connect any_username/any_password AS SYSDBA (except NULL value in 8 and 7)
or
SQL> connect / AS SYSDBA
gets you connected as long as the operating system user is part of the OSDBA or OSOPER groups.
If you have configured the OS Authentication then you SHOULD control strictly who are the members of :
--> the 'OSDBA' or 'OSOPER' groups on Unix (defined in $ORACLE_HOME/lib/config.[cs])
--> the 'ORA_<sid>_DBA' or 'ORA_DBA' groups on NT
Frequently Asked Querstions:
1) My password is correct, or isn't it?
As a side phenomenon, from the support practice, some customers report ora-1017 for remote sysdba connections, assuming a certain password is correct 'because it works when connected to the host directly' when they did:
while in fact 'somepassword' is incorrect and the ora-1017 was justified.Please consider this possible misconception before reporting problems.
2) To what database am I connected anyway?
Be aware that if you connect to a remote database as a normal user, for example scott, and you subsequently do: connect / as sysdba the sqlplus client will not attempt to connect you to the same remote database, but the local one.If you are not sure to what database you are connected, runthis query:
A user is able to connect AS SYSDBA/SYSOPER using the following authentication methods:
1. Operating System authentication (explicit) syntax:
1. Operating System authentication (explicit) syntax:
SQL> CONNECT / AS SYSDBA
or
SQL> CONNECT / AS SYSOPER
or
SQL> CONNECT / AS SYSOPER
2. Passwordfile authentication syntax
SQL> CONNECT username/password[@TNS_ALIAS] AS SYSDBA
or
SQL> CONNECT username/password[@TNS_ALIAS] AS SYSOPER
If you have configured the Operating System authentication and an OS user is a member of the special groups OSDBA or OSOPER then the OS user does not have to provide any credentials while connecting to the database as SYSDBA or AS SYSOPER from the RDBMS Server host machine when using the bequeath protocol. As long as the session is not established through the listener the OS Authentication will be used and the credentials provided will be ignored. This means that the users who are able to use the OS authentication can use any username and any password to connect to the database locally on the RDBMS Server:
Using the following syntax:
SQL> connect any_username/any_password AS SYSDBA (except NULL value in 8 and 7)
or
SQL> connect / AS SYSDBA
gets you connected as long as the operating system user is part of the OSDBA or OSOPER groups.
If you have configured the OS Authentication then you SHOULD control strictly who are the members of :
--> the 'OSDBA' or 'OSOPER' groups on Unix (defined in $ORACLE_HOME/lib/config.[cs])
--> the 'ORA_<sid>_DBA' or 'ORA_DBA' groups on NT
Note 1: If both OS Authentication And Passwordfile Authentication are configured and the connection is initiated from the RDBMS Server host machine using the bequeath protocol then the OS authentication will be used.
Note 2: A special case exists in Windows Domains, if a Windows Domain user is a member of the ORA_DBA group on multiple database host machines in the same domain, this privilege will span multiple hosts and databases.
Frequently Asked Querstions:
1) My password is correct, or isn't it?
As a side phenomenon, from the support practice, some customers report ora-1017 for remote sysdba connections, assuming a certain password is correct 'because it works when connected to the host directly' when they did:
connect sys/somepassword as sysdba
while in fact 'somepassword' is incorrect and the ora-1017 was justified.Please consider this possible misconception before reporting problems.
2) To what database am I connected anyway?
Be aware that if you connect to a remote database as a normal user, for example scott, and you subsequently do: connect / as sysdba the sqlplus client will not attempt to connect you to the same remote database, but the local one.If you are not sure to what database you are connected, runthis query:
SELECT NAME FROM V$DATABASE;
No comments:
Post a Comment