Showing results for 
Search instead for 
Do you mean 

Restricting user logins

SOLVED
Go to Solution
Honored Contributor Honored Contributor

Restricting user logins

Hi.

We've just had our annual visit from our (adjectives deleted) auditors and they want to restrict the ability of the oracle user to login directly, but our DBA's must be able to su to that account if needed, so a shell account is required. Any ideas on how to do this?

Regards

Andrew Young
Si hoc legere scis, nimis eruditionis habes
1 ACCEPTED SOLUTIONS
Frequent Advisor Frequent Advisor

Re: Restricting user logins

Hi,

You have to add this line to your "sshd_config" file;

DenyUsers oracle

then restart the service;

/sbin/init.d/secsh stop
/sbin/init.d/secsh start

and finally, you have to add DBA user to your sudoers file
with the permission to su oracle...

5 REPLIES
Highlighted
Honored Contributor Honored Contributor

Re: Restricting user logins

Combination of sudo and tcp wrappers will do it. you can user for direct login and then sudo to control su to oracle account. /etc/default/security file can also control few things. man 4 security.
There is no substitute to HARDWORK
Frequent Advisor Frequent Advisor

Re: Restricting user logins

Hi,

You have to add this line to your "sshd_config" file;

DenyUsers oracle

then restart the service;

/sbin/init.d/secsh stop
/sbin/init.d/secsh start

and finally, you have to add DBA user to your sudoers file
with the permission to su oracle...

Trusted Contributor Trusted Contributor

Re: Restricting user logins

Try the following in /etc/profile with allowed user id's in the file /etc/su_allow_oracle.txt

TTY=`tty | awk -F/ '{printf ($3"/"$4)}'`
USER_TTY=`w | awk '(\$2=="'$TTY'"){print \$1}'`

if [ -n "$USER_TTY" ] && [ $(whoami) = "oracle" ] && [ $(grep -q $USER_TTY /etc/su_allow_oracle.txt; echo $?) != 0 ]
then
echo
echo "************************************************************"
echo "This account ($USER_TTY) is not permitted to su into oracle."
echo "************************************************************"
echo
sleep 5
exit
fi
Honored Contributor Honored Contributor

Re: Restricting user logins

Hi

Burak I was thinking of going with your suggestion but was wondering if there is anything in PAM that would do something similar.

Thanks for the other suggestions as well.

AY
Si hoc legere scis, nimis eruditionis habes
Frequent Advisor Frequent Advisor

Re: Restricting user logins

Andrew,

i did not know the way about PAM which can overcome this issue and could not find any useful document about how to configure PAM.
You may look at the following link, there are some other ways discussed like changing oracle password..

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1257167203491+28353475&...