SYSDBA connections are always authenticated externally, this is either by OS authentication when the Unix or Windows user needs to be in a special group or using the passwordfile, these features can work without a running instance, for remote connections (if correctly configured) the listener will access the passwordfile to verify the credentials,
Harm ten Napel
authentication for sysdba as follows:
1. if you try to login remotely using tns names as sysdba, oracle will authenticate you using the password file.
2. if you try to login locally from the server to the database as sysdba, oracle will use O.S authentication to authenticate you (that is mean if your O.S user is part of O.S DBA group, you can login to the database locally without user/password as sysdba.
Its via OS authentication if you are on the machine where DB is installed...
or via password file (created via orapwd utility) if you are trying logging remotely... OR on local machine too (where DB is installed), you can try logging in with a user other than sys, as long as that user is present in the password file... i.e. that user has been given grant as sysdba..
The sqlplus client can access the database instance even without the need for a running listener. When the instance is down, the sqlplus client can access database files directly for the purpose of starting and stopping the instance. Authentication in this case is performed by the operating system and permissions are set at the file system. In this case authentication is not performed by the database but determined by the OSDBA group, which name is compiled and linked into the oracle application binary. When the name matches the group name of the OS user account, access is granted.
Keep in mind that access as SYSDBA are always on only connecting to the SYS database schema, hence the login is " / as sysdba" meaning you omit username and password authentication - in fact you specify anything as usename and password. When using remote access (not ssh), OS authentication is done by the oracle password file to prevent unsolicited access and having to transfer the SYS password via the network connection.