在安装Exadata时,执行onecommand的后面几步ResecureMachine相关的内容后,安全性会得到增强,我们戏称为“强安全步骤”,不同的onecommand版本的step稍有差别,但是可以从deploy脚步的执行步骤的名称中识别出来,例如onecommand p14210449 (对应image 11.2.3.1.1)的如下(其中setp24~setp26):
[root@dm01db01 onecommand]# ./deploy11203.sh -l INFO: Logging all actions in /opt/oracle.SupportTools/onecommand/tmp/dm01db01-20120330102340.log and traces in /opt/oracle.SupportTools/onecommand/tmp/dm01db01-20120330102340.trc INFO: Loading configuration file /opt/oracle.SupportTools/onecommand/onecommand.params... The steps in order are... Step 0 = ValidateEnv Step 1 = CreateWorkDir Step 2 = UnzipFiles Step 3 = setupSSHroot Step 4 = UpdateEtcHosts Step 5 = CreateCellipinitora Step 6 = ValidateIB Step 7 = ValidateCell Step 8 = PingRdsCheck Step 9 = RunCalibrate Step 10 = CreateUsers Step 11 = SetupSSHusers Step 12 = CreateGridDisks Step 13 = GridSwInstall Step 14 = PatchGridHome Step 15 = RelinkRDSGI Step 16 = GridRootScripts Step 17 = DbSwInstall Step 18 = PatchDBHomes Step 19 = CreateASMDiskgroups Step 20 = DbcaDB Step 21 = DoUnlock Step 22 = RelinkRDSDb Step 23 = LockUpGI Step 24 = ApplySecurityFixes Step 25 = SetupCellEmailAlerts Step 26 = ResecureMachine [root@dm01db01 onecommand]#
在onecommand p16383189(对应 image 11.2.3.2.0,image 11.2.3.2.1的步骤跟这个一样的)中是如下步骤,其中step25~step28是“强安全”:
[root@dm01db01 onecommand]# ./deploy11203.sh -l INFO: Logging all actions in /opt/oracle.SupportTools/onecommand/tmp/dm01db01-20130329155618.log and traces in /opt/oracle.SupportTools/onecommand/tmp/dm01db01-20130329155618.trc INFO: Loading configuration file /opt/oracle.SupportTools/onecommand/onecommand.params... The steps in order are... Step 0 = ValidateEnv Step 1 = CreateWorkDir Step 2 = UnzipFiles Step 3 = setupSSHroot Step 4 = UpdateEtcHosts Step 5 = CreateCellipinitora Step 6 = ValidateIB Step 7 = UpdateCell Step 8 = ValidateCell Step 9 = PingRdsCheck Step 10 = RunCalibrate Step 11 = CreateUsers Step 12 = SetupSSHusers Step 13 = CreateGridDisks Step 14 = GridSwInstall Step 15 = PatchGridHome Step 16 = RelinkRDSGI Step 17 = GridRootScripts Step 18 = DbSwInstall Step 19 = PatchDBHomes Step 20 = CreateASMDiskgroups Step 21 = DbcaDB Step 22 = DoUnlock Step 23 = RelinkRDSDb Step 24 = LockUpGI Step 25 = ApplySecurityFixes Step 26 = setupASR Step 27 = SetupCellEmailAlerts Step 28 = ResecureMachine [root@dm01db01 onecommand]#
在执行了上述步骤后,一些客户使用一段时间后对于其中的“强安全”感觉很不方便,希望我们修改其中的部分限制,比如90天必须修改口令等等,下面就类似问题给出解决方案。
本文的方法来自于内部exadata的一个文档,且在多个客户都已经实施过了:
1, 解除口令限制和复杂度:
使用root用户修改/etc/pam.d/system-auth,这是一个password的的入口文件(老一点的linux系统一般用/etc/pam.d/passwd),将其中的”min=disabled,disabled,16,12,8″ ,使用这个规则建立的口令很难被破解,修改为”min=1,1,1,1,1″,大大降低了口令的复杂程度(容易被破解,例如“oracle”,或者exadata上的缺省的welcome等等,都是常用词汇。。。)
然后重置root口令即可(exadata上大部分缺省口令是welcome)
2, 解除90修改口令的限制:
执行下面的命令修改用户口令修改策略:
chage -d 14000 -E -1 -m 0 -M -1 <username> 例如: chage -d 14000 -E -1 -m 0 -M -1 root (both db and cell nodes) chage -d 14000 -E -1 -m 0 -M -1 oracle (on db nodes) chage -d 14000 -E -1 -m 0 -M -1 celladmin (on cell nodes) chage -d 14000 -E -1 -m 0 -M -1 cellmonitor (on cell nodes)
当然,你需要在所有节点依次执行,exadata上的dcli可以很方便的完成:
## for db nodes dcli -g dbs_group -l root "chage -d 14000 -E -1 -m 0 -M -1 root && chage -d 14000 -E -1 -m 0 -M -1 oracle && chage -d 14000 -E -1 -m 0 -M -1 grid" ## for cell nodes dcli -g /opt/oracle.SupportTools/onecommand/cell_group -l root "chage -d 14000 -E -1 -m 0 -M -1 root && chage -d 14000 -E -1 -m 0 -M -1 celladmin && chage -d 14000"
然后使用上述用户登录的缺省口令就可以登录了(缺省口令都是welcome)
3, 重新配置各个节点的SSH信任关系(因为执行了ResecureMachine以后,SSH信任关系操作就不可以了):
/opt/oracle.SupportTools/setup_ssh_eq.sh /opt/oracle.SupportTools/onecommand/all_group root <passwd>
也可以参考我之前的一篇blog(其中的脚本在11.2.0.1的除windows平台外的任何一个安装包中都可以找到):
使用Oracle安装包的ssh配置机器互信
注意: 如果有问题可以参考bug 12389246
4, 解除SSH连接超时的限制:
dcli -g all_group -l root "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig; sed -i 's/^ClientAliveInterval/#ClientAliveInterval/' /etc/ssh/sshd_config; service sshd restart"
顺便多说一下,由于某些原因用户可能会出现密码尝试次数过多账号被锁定的问题,具体的设置在/etc/pam.d/system-auth文件,例如,exadata上的:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_unix.so try_first_pass nullok #auth required pam_deny.so account required pam_unix.so password requisite pam_passwdqc.so min=5,5,5,5,5 similar=deny enforce=everyone max=40 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow remember=10 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
清除某个用户的登陆失败次数,让改用户可以重新登陆的命令:
pam_tally2 -r -u username
例如,
清除 oracle用户的失败登录次数:pam_tally2 -r -u oracle
清除 oracle用户的失败登录次数:pam_tally2 -r -u root
