Authentication Method for Oraclesysdba and sysoper

1. ORACLE has two ways to authenticate sysdba/sysoper users:

1). Operating System Level Authentication: After logging on to the oracle Database Host, you can use sqlplus/as sysdba to log on directly: users who belong to the dba permission group (linux/unix) in linux/unix, users in the ORA_DBA group in windows;

2). Remote Authentication: Password File authentication. You can use sqlplus sys/xxx @ sid to log on to any host.

2. The two methods have their respective switches:

1) Switch for operating system level authentication:Sqlnet. AUTHENTICATION_SERVICES in ora, when SQLNET. AUTHENTICATION_SERVICES = ETS. When the content of the NS indicates NTSecurity, OS authentication is adopted. If the value is NONE, the operating system authentication is disabled. You must use usr/pwd as sysdba/sysoper to log on.

2). Password File authentication switch:In spfile/pfile, The remote_login_passwordfile parameter is as follows:

Remote_login_passwordfile = EXCLUSIVE, which is dedicated to one instance;

Remote_login_passwordfile = SHARE can be shared by multiple instances (for OPS/RAC environments );

Remote_login_passwordfile = NONE, the password file is not enabled. In this case, no sysdba/sysoper can be connected.

Remote_login_passwordfile = shared: More than one database canuse a password file. However, the only user recognized by the password file isSYS.

OS-level authentication takes precedence over Password File authentication. The two authentication methods can be enabled, disabled, or enabled at the same time, as shown in the figure below:

3. Password File:

1) Generate and recreate the password file

Orapwd file = filename password = password entries = max_users

Filename: Name of the password file (mandatory)

Password: The password forSYSOPERand SYSDBA (mandatory)

Entries: The maximum number ofdistinct users allowed to connect as SYSDBAor

SYSOPER. If you exceed this number, you must create a new password file. It is safer to have a larger number. Thereare no spaces around the equal-to (=) character.

In windows, the default location of the password file is the ora92/database directory, and the default file name is pwdSID. in linux, oracle is located in the $ ORACLE_HOME/dbs directory by default. The default file name is orapwSID, which is not recognized by other file names.

2) Maintenance and query of password file users

Run grant sysdba/sysoper to user. oracle automatically adds an entry to the password file and copies the password.

Select * fromv $ pwfile_users to view the password file

For example:

SQL> grant sysdbato scott;

Grant succeeded

SQL> select * fromv $ pwfile_users;

USERNAME SYSDBA SYSOPER SYSASM

-------------------------------------------------

SYS TRUE FALSE

SCOTT TRUE FALSE