Re: Restricting user logins (93 Views)
Reply
Honored Contributor
Andrew Young_2
Posts: 504
Registered: ‎01-01-2003
Message 1 of 6 (93 Views)
Accepted Solution

Restricting user logins

Hi.

We've just had our annual visit from our (adjectives deleted) auditors and they want to restrict the ability of the oracle user to login directly, but our DBA's must be able to su to that account if needed, so a shell account is required. Any ideas on how to do this?

Regards

Andrew Young
Si hoc legere scis, nimis eruditionis habes
Honored Contributor
RAC_1
Posts: 5,920
Registered: ‎03-21-2002
Message 2 of 6 (93 Views)

Re: Restricting user logins

Combination of sudo and tcp wrappers will do it. you can user for direct login and then sudo to control su to oracle account. /etc/default/security file can also control few things. man 4 security.
There is no substitute to HARDWORK
Frequent Advisor
Burak Topal
Posts: 44
Registered: ‎06-11-2009
Message 3 of 6 (93 Views)

Re: Restricting user logins

Hi,

You have to add this line to your "sshd_config" file;

DenyUsers oracle

then restart the service;

/sbin/init.d/secsh stop
/sbin/init.d/secsh start

and finally, you have to add DBA user to your sudoers file
with the permission to su oracle...

Trusted Contributor
gstonian
Posts: 208
Registered: ‎08-16-2005
Message 4 of 6 (93 Views)

Re: Restricting user logins

Try the following in /etc/profile with allowed user id's in the file /etc/su_allow_oracle.txt

TTY=`tty | awk -F/ '{printf ($3"/"$4)}'`
USER_TTY=`w | awk '(\$2=="'$TTY'"){print \$1}'`

if [ -n "$USER_TTY" ] && [ $(whoami) = "oracle" ] && [ $(grep -q $USER_TTY /etc/su_allow_oracle.txt; echo $?) != 0 ]
then
echo
echo "************************************************************"
echo "This account ($USER_TTY) is not permitted to su into oracle."
echo "************************************************************"
echo
sleep 5
exit
fi
Honored Contributor
Andrew Young_2
Posts: 504
Registered: ‎01-01-2003
Message 5 of 6 (93 Views)

Re: Restricting user logins

Hi

Burak I was thinking of going with your suggestion but was wondering if there is anything in PAM that would do something similar.

Thanks for the other suggestions as well.

AY
Si hoc legere scis, nimis eruditionis habes
Frequent Advisor
Burak Topal
Posts: 44
Registered: ‎06-11-2009
Message 6 of 6 (93 Views)

Re: Restricting user logins

Andrew,

i did not know the way about PAM which can overcome this issue and could not find any useful document about how to configure PAM.
You may look at the following link, there are some other ways discussed like changing oracle password..

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1257167203491+28353475&...
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.