Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: How to make "connect sys as sysdba" asking for password

Re: How to make "connect sys as sysdba" asking for password

From: Howard J. Rogers <>
Date: Fri, 25 Jun 2004 21:58:48 +1000
Message-ID: <40dc135b$0$18666$>

"charlie cs" <cfs3526(no-spam)> wrote in message news:VfUCc.7532$
> Hi group,
> I am using Oracle 9202 on Red-Hat Linux.
> In my company, everybody can sudo to ora92, which belongs to Oracle user
> group.
> And every body can do "sqlplus /nolog", "connect sys as sysdba", when
> password, I type anything, oracle will accept it, even though I set the
> password through "orapwd".
> What did I do wrong??

What is it you want to have happen?

You would like things so that if I type

connect sys/kjhgkjdhgkjhwe4oho8unskdnlkjk as sysdba

...Oracle says "that's not the right password!"?

If so, make sure you are using password file authentication. Then SYS can only log on by supplying the correct password as stored in the password file. If, on the other hand, you have set things up so that O/S authentication is in place, then of course Oracle will not complain however daft the password you supply. O/S authentication *means*: if they guy has connected as the relevant *operating system* user (which you have by being able to su - ora92 and supply the O/S password when prompted), then that is sufficient proof of his credentials, and Oracle won't bother even checking the password he supplies as part of a SQL connection string'

Operating System authentication is the default mechanism. If you want to turn it off, you have to make sure that the operating system user is not a member of the privileged O/S group (which in Unix/Linux is usually the dba group, or perhaps the oinstall group, depending on how you did your installation). So, check you /etc/groups file, and make adjustments as necessary. If you, the O/S user, are a member of that group, you don't need (and can't supply) a password to connect to an instance.

> some init parameters
> os_roles
> remote_os_authent
These parameters have absolutely nothing to do with enabling or disabling O/S authentication of privileged users on a local machine. Sort your O/S group memberships out if you want a password file authentication mechanism to apply.

HJR Received on Fri Jun 25 2004 - 06:58:48 CDT

Original text of this message