The Delphix account is the same as any other Linux/Unix user account. However, the Delphix Engine will use this user to execute certain commands via SSH. For Linux/Unix environments, there are several steps that you can take to secure the Delphix OS user (delphix_os). From the Delphix Engine, you can configure the OS user to use public key authentication (PKA) instead of password authentication. Doing so has several benefits: first, it protects the account from being affected by any routine password changes which are sometimes required in security conscious environments. Secondly, once PKA is enabled you can disable password authentication for the user, which reduces the risk of unauthorized users who have gained access to the password to logging in to your servers.
To configure public key authentication, login to your Delphix Engine as a Delphix Administrator (delphix_admin or another admin enabled account). Go to Manage -> Environments to modify an existing Environment, and select it from the list of environments. Under Basic Information->Environment Users, click on the name of the user then click on the pencil icon to edit the user. Change the Login Type from Password to Public Key then click the View Public Key link. Delphix will provide you with a public ssh key that will be used to create any ssh connections from the Delphix Engine to your environment. Follow the instructions in the screen that pops up to copy and paste the public key to your source (or target) host, using the delphix OS user account. Click on the “Yes” button when done, then click the checkmark to save the changes. If you are adding a new environment, you would enter the new environment information and select Public Key as the Login type and follow the steps to copy the public key to the delphix user ~/.ssh/authorized_keys file.
Now that PKA has been configured for this user, you can disable password authentication using SSH. For example, in Linux environments, the system administrator can disable password authentication for the delphix user by editing the /etc/ssh/sshd_config file by including the lines below - where delphix_os is the OS account for the Delphix user on the source.
Match User delphix_os
PasswordAuthentication no
Since the Delphix user is similar to any other Linux/Unix account you can login via SSH and sudo/su to the user to perform any tasks you wish after configuring sudo privileges.
Here’s an example of using visudo to allow a user named jdoe to sudo to the delphix_os user.
jdoe ALL=(delphix_os,oracle) ALL
Once logged in as jdoe I can switch to the delphix_os or Oracle user.
[jdoe@prod ~]$ sudo -u delphix_os -i
[sudo] password for jdoe:
-bash-4.1$ id
uid=54322(delphix_os) gid=54321(oinstall) groups=54321(oinstall),54322(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023