How do I secure the delphix OS user account?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
In my organization, we have security policies which restrict direct login to admin operating system (OS) accounts in production. Since the delphix OS user (we use delphix_os) has the same privileges as the Oracle OS user, how can I setup the delphix OS account so that I can sudo or su using my personal account?
Photo of Thom T

Thom T

  • 838 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Leighton Nelson

Leighton Nelson, Employee

  • 270 Points 250 badge 2x thumb

The Delphix account is the same as any other Linux/Unix user account. However, the Delphix Engine will use this user to execute certain commands via SSH. For Linux/Unix environments, there are several steps that you can take to secure the Delphix OS user (delphix_os). From the Delphix Engine, you can configure the OS user to use public key authentication (PKA) instead of password authentication. Doing so has several benefits: first, it protects the account from being affected by any routine password changes which are sometimes required in security conscious environments. Secondly, once PKA is enabled you can disable password authentication for the user, which reduces the risk of unauthorized users who have gained access to the password to logging in to your servers.

To configure public key authentication, login to your Delphix Engine as a Delphix Administrator (delphix_admin or another admin enabled account). Go to Manage -> Environments to modify an existing Environment, and select it from the list of environments. Under Basic Information->Environment Users, click on the name of the user then click on the pencil icon to edit the user. Change the Login Type from Password to Public Key then click the View Public Key link. Delphix will provide you with a public ssh key that will be used to create any ssh connections from the Delphix Engine to your environment. Follow the instructions in the screen that pops up to copy and paste the public key to your source (or target) host, using the delphix OS user account. Click on the “Yes” button when done, then click the checkmark to save the changes. If you are adding a new environment, you would enter the new environment information and select Public Key as the Login type and follow the steps to copy the public key to the delphix user ~/.ssh/authorized_keys file.

Now that PKA has been configured for this user, you can disable password authentication using SSH. For example, in Linux environments, the system administrator can disable password authentication for the delphix user by editing the /etc/ssh/sshd_config file by including the lines below - where delphix_os is the OS account for the Delphix user on the source.

Match User delphix_os
   PasswordAuthentication no

Since the Delphix user is similar to any other Linux/Unix account you can login via SSH and sudo/su to the user to perform any tasks you wish after configuring sudo privileges.

Here’s an example of using visudo to allow a user named jdoe to sudo to the delphix_os user.

jdoe        ALL=(delphix_os,oracle)    ALL

Once logged in as jdoe I can switch to the delphix_os or Oracle user.

[jdoe@prod ~]$ sudo -u delphix_os -i
[sudo] password for jdoe:
-bash-4.1$ id
uid=54322(delphix_os) gid=54321(oinstall) groups=54321(oinstall),54322(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(Edited)
Photo of Thom T

Thom T

  • 838 Points 500 badge 2x thumb
Thanks for the quick response.