2009/01/21

Some Notes about Password File and OS Authentication

1. In order to let remote user login database as sysdba, password file needs to be
created and REMOTE_LOGIN_PASSWORDFILE must be set to a value that is not NONE.

2. In 9i, optional values for REMOTE_LOGIN_PASSWORDFILE are NONE, SHARED and EXCLUSIVE. In 10g, EXCLUSIVE still works for backwards compatibility, but now it behaves just like SHARED. This is the quote from the documentation:

9i
# NONE
Oracle ignores any password file. Therefore, privileged users must be authenticated by the operating system.
# SHARED
More than one database can use a password file. However, the only user recognized by the password file is SYS.
# EXCLUSIVE
The password file can be used by only one database and the password file can contain names other than SYS.

10g
# NONE
Oracle ignores any password file. Therefore, privileged users must be authenticated by the operating system.
# SHARED
One or more databases can use the password file. The password file can contain SYS as well as non-SYS users.

3. "GRANT sysdba TO user" will add an entry (username and password) into the password file, so that remote user can log into database as sysdba. Remote users in the password file can be found in V$pwfile_users. Oracle checks the password
in password file to verify remote user's identity. Everytime user's password is set,
new password will be added into password file and substitute the old password.

4. ANYONE in the dba group (whatever group you used upon install) is permited to
connect locally "as sysdba".

5. OS authentication allows Oracle to pass control of user authentication to the operating system. Non-priviliged OS authentication connections take the following form.

sqlplus /
sqlplus /@service

Use the following command to enable OS authentication for a user.
CREATE USER ops$username IDENTIFIED EXTERNALLY;
*ops$ can be check by "SHOW PARAMETER os_authent_prefix"

Refer to "Problem to connect as SYSDBA" on asktom.oracle.com for detail explanation.

No comments: