Re: Re: User equiv and "oracle" lockdown
Date: Wed, 24 Sep 2014 17:49:45 +0200
Message-ID: <148a85aa445.10d30083c199070.8157387746160080782_at_zoho.com>
Anyway, trying to find a nexus of different point of view (Sysadmin and DBA), I'd configure a pattern selective passwordless ssh for the oracle users of those specific hosts.
In detail, in sshd_config file it's possible to put some directives like:
# Disable Public Key auth
PubkeyAuthentication no
At the end of file, the last directive
# Enable Public Key auth only from specific users/host(s) Match User oracle_at_racnode
PubkeyAuthentication yes
More details:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config
https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html
Alessandro
- On Tue, 23 Sep 2014 10:09:52 +0200 Dimitre Radoulov <cichomitiko_at_gmail.com> wrote ----
>
> On 23/09/2014 09:27, Niall Litchfield wrote:
>
> P3TwYHrce531zzXK7WX1LGBvbPuxFw_at_mail.gmail.com" type="cite"> I guess I'm struggling to understand what the issue is here. User equivalence or passwordless ssh is required for a supported installation. Arguing about what may or may not break is surely beside the point.
>
>
> I completely agree with Niall. In my opinion, if the software vendor is asking you to do something and the security team disagrees,
> they should ask the vendor (Oracle), not you, to fix it.
>
> P3TwYHrce531zzXK7WX1LGBvbPuxFw_at_mail.gmail.com" type="cite"> On 22 Sep 2014 20:29, "Herring, David" <HerringD_at_dnb.com> wrote:
> Does anyone know all areas where user equivalency for the account "oracle" is necessary in a RAC system, let's say 11g and above on Linux RH?
>
> The reason I ask is that our security team is now refusing to have this set up and even though I passed snipets from Oracle doc which states "it must be set", they're balking and sending snipets from RedHat doc saying that's unwise.
>
>
>
>
>
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Sep 24 2014 - 17:49:45 CEST