topic Re: Restricting user logins in Operating System - HP-UX

Restricting user logins

Andrew Young_2 — Mon, 02 Nov 2009 09:52:36 GMT

Hi.

We've just had our annual visit from our (adjectives deleted) auditors and they want to restrict the ability of the oracle user to login directly, but our DBA's must be able to su to that account if needed, so a shell account is required. Any ideas on how to do this?

Regards

Andrew Young

Re: Restricting user logins

RAC_1 — Mon, 02 Nov 2009 10:27:40 GMT

Combination of sudo and tcp wrappers will do it. you can user for direct login and then sudo to control su to oracle account. /etc/default/security file can also control few things. man 4 security.

Re: Restricting user logins

Burak Topal — Mon, 02 Nov 2009 12:51:57 GMT

Hi,

You have to add this line to your "sshd_config" file;

DenyUsers oracle

then restart the service;

/sbin/init.d/secsh stop
/sbin/init.d/secsh start

and finally, you have to add DBA user to your sudoers file
with the permission to su oracle...

Re: Restricting user logins

gstonian — Mon, 02 Nov 2009 12:52:01 GMT

Try the following in /etc/profile with allowed user id's in the file /etc/su_allow_oracle.txt

TTY=`tty | awk -F/ '{printf ($3"/"$4)}'`
USER_TTY=`w | awk '(\$2=="'$TTY'"){print \$1}'`

if [ -n "$USER_TTY" ] && [ $(whoami) = "oracle" ] && [ $(grep -q $USER_TTY /etc/su_allow_oracle.txt; echo $?) != 0 ]
then
echo
echo "************************************************************"
echo "This account ($USER_TTY) is not permitted to su into oracle."
echo "************************************************************"
echo
sleep 5
exit
fi

Re: Restricting user logins

Andrew Young_2 — Mon, 02 Nov 2009 12:56:46 GMT

Hi

Burak I was thinking of going with your suggestion but was wondering if there is anything in PAM that would do something similar.

Thanks for the other suggestions as well.

AY

Re: Restricting user logins

Burak Topal — Mon, 02 Nov 2009 13:40:03 GMT

Andrew,

i did not know the way about PAM which can overcome this issue and could not find any useful document about how to configure PAM.
You may look at the following link, there are some other ways discussed like changing oracle password..

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1257167203491+28353475&threadId=1121876