Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How to make "connect sys as sysdba" asking for password

Re: How to make "connect sys as sysdba" asking for password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Fri, 25 Jun 2004 21:58:48 +1000
Message-ID: <40dc135b$0$18666$afc38c87@news.optusnet.com.au> 






"charlie cs" <cfs3526(no-spam)@ureach.com> wrote in message
news:VfUCc.7532$A9.3955_at_nwrdny01.gnilink.net...


> Hi group,

>

> I am using Oracle 9202 on Red-Hat Linux.

>

> In my company, everybody can sudo to ora92, which belongs to Oracle user

> group.

>

> And every body can do "sqlplus /nolog", "connect sys as sysdba",  when

type


> password,  I type anything, oracle will accept it, even though I set the

> password through "orapwd".

>

> What did I do wrong??




What is it you want to have happen?



You would like things so that if I type



connect sys/kjhgkjdhgkjhwe4oho8unskdnlkjk as sysdba



...Oracle says "that's not the right password!"?



If so, make sure you are using password file authentication. Then SYS can
only log on by supplying the correct password as stored in the password
file. If, on the other hand, you have set things up so that O/S
authentication is in place, then of course Oracle will not complain however
daft the password you supply. O/S authentication *means*: if they guy has
connected as the relevant *operating system* user (which you have by being
able to su - ora92 and supply the O/S password when prompted), then that is
sufficient proof of his credentials, and Oracle won't bother even checking
the password he supplies as part of a SQL connection string'



Operating System authentication is the default mechanism. If you want to
turn it off, you have to make sure that the operating system user is not a
member of the privileged O/S group (which in Unix/Linux is usually the dba
group, or perhaps the oinstall group, depending on how you did your
installation). So, check you /etc/groups file, and make adjustments as
necessary. If you, the O/S user, are a member of that group, you don't need
(and can't supply) a password to connect to an instance.



> some init parameters

>

>  os_roles

> FALSE


>

> remote_os_authent

> FALSE



These parameters have absolutely nothing to do with enabling or disabling
O/S authentication of privileged users on a local machine. Sort your O/S
group memberships out if you want a password file authentication mechanism
to apply.



HJR

Received on Fri Jun 25 2004 - 06:58:48 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US