Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: SSH and Oracle on Unix

Re: SSH and Oracle on Unix

From: Richard Hoffbeck <rwh_at_visi.com>
Date: 1998/03/21
Message-ID: <MPG.f7d98b41c898be4989688@news.visi.com>#1/1 







[This followup was posted to comp.databases.oracle.server and a copy 
was sent to the cited author.]



In article <3511A3E5.148A_at_nowhere.ca>, tsbsps_at_nowhere.ca says...


> Seems my OS group wants to secure Unix from ourselves and want to

> implement SSH, Secure Shell.  Does anyone have this in place with Oracle

> working?  I can't get SQL-net and thus Enterprise Manager connecting to

> a test server with SSH.  REgular Telnet and FTP have been disabled.  Any

> help would be appreciated, please post to the newsgroup.




I've used it to secure client->server connections with no problems. 
The big gotcha is that it isn't going to work (at least easily) if you 
are running in multi-threaded server mode.



If you aren't using MTS, set up ssh to forward a connection on a 
specific port on the local machine to the port that sql*net is 
listening to on the target machine.  Then modify the tnsnames.ora file 
on the local machine so that it shows the server being located on the 
local machine and listening on the port specified in the first step.



Now to make a connection, log into the target machine (or any machine 
that can see the target machine) using ssh.  Once the connection is 
made you can start using your Oracle apps.  When you reference the 
server your Oracle app ask sql*net to open a connection to the 
instance by sending a request to (localhost, localport).  ssh 
intercepts this requests, encrypts the contents, forwards it to the 
ssh service on the target machine, which decrypts it and forwards it 
on to the sql*net port on the target machine.



In practice it is a lot easier than it sounds and ssh is fairly solid. 
In my last job I set up a couple of encrypted tunnels in remote 
locations.  It appeared to the apps that the database resided on the 
local end of the tunnel while the actual communications was encrypted, 
sent via the internet to a ssh service on our firewall and then 
forwarded on to the actual database service.  Worked like a champ and 
it was incredibly cheap -- the whole thing ran on an old 486 running 
linux; although, if you're going to be running a large number of 
sessions a machine with a bit more horsepower would probably be a good 
idea.



--rick
Received on Sat Mar 21 1998 - 00:00:00 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US