Re: Re: User equiv and "oracle" lockdown

• From: Alessandro Vercelli <alever22@xxxxxxxx>
• To: <oracle-l@xxxxxxxxxxxxx>
• Date: Wed, 24 Sep 2014 17:49:45 +0200

Anyway, trying to find a nexus of different point of view (Sysadmin and DBA), 
I'd configure a pattern selective passwordless ssh for the oracle users of 
those specific hosts.

In detail, in sshd_config file it's possible to put some directives like:


# Disable Public Key auth
PubkeyAuthentication no


At the end of file, the last directive

# Enable Public Key auth only from specific users/host(s)
Match User oracle@racnode
      PubkeyAuthentication yes 


More details:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config
https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html


Alessandro

---- On Tue, 23 Sep 2014 10:09:52 +0200  Dimitre Radoulov 
<cichomitiko@xxxxxxxxx> wrote ---- 


 >                   
 >      On 23/09/2014 09:27, Niall Litchfield       wrote:
 >      
 >      P3TwYHrce531zzXK7WX1LGBvbPuxFw@xxxxxxxxxxxxxx" type="cite">       I 
 > guess I'm struggling to understand what the issue         is here.  User 
 > equivalence or passwordless ssh is required for a         supported 
 > installation.  Arguing about what may or may not break         is surely 
 > beside the point.  
 >        
 >           
 >      I completely agree with Niall. In my opinion, if the software vendor    
 >  is asking you to do something and the security team disagrees,
 >      they should ask the vendor (Oracle), not you, to fix it.
 >      
 >      P3TwYHrce531zzXK7WX1LGBvbPuxFw@xxxxxxxxxxxxxx" type="cite">       On 22 
 > Sep 2014 20:29, "Herring, David"         <HerringD@xxxxxxx>         wrote:
 >          Does anyone           know all areas where user equivalency for the 
 > account "oracle"           is necessary in a RAC system, let's say 11g and 
 > above on Linux           RH?
 >            
 >            The reason I ask is that our security team is now refusing to     
 >       have this set up and even though I passed snipets from Oracle          
 >  doc which states "it must be set", they're balking and sending           
 > snipets from RedHat doc saying that's unwise.
 >            
 >            
 >          
 >        
 >           
 >     
 > 


--
//www.freelists.org/webpage/oracle-l

Other related posts:

• » Re: Re: User equiv and "oracle" lockdown - Alessandro Vercelli

1. Home
2. oracle-l
3. Archive
4. 09-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---