LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-19-2018, 10:39 AM   #16
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364

Rep: Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511

Quote:
Originally Posted by TB0ne View Post
... to not allow root login over SSH, but only at console, which means the PermitRootLogin should be no. And when ANY directive is applied to the AllowUsers line, it will, by default, DIS-allow all others. And the DenyUsers directive takes precedence over that, so if you have:
Code:
AllowUsers joe sam bob
DenyUsers joe
Then joe is denied...as is root, even WITH the PermitRootLogin set to yes.
Hey TB0ne,

Thanks for this - good to know - I always end up slightly less ignorant every time I get involved in a thread here ..

I DO feel for the OP, here, mind you. I've seen examples of his predicament before and it can be stressful and thankless ... I'm sure he appreciates the valuable knowledge you're sharing.

Cheers.
 
Old 04-19-2018, 11:18 AM   #17
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,482

Rep: Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939
Quote:
Originally Posted by Rickkkk View Post
Hey TB0ne,
Thanks for this - good to know - I always end up slightly less ignorant every time I get involved in a thread here ..

I DO feel for the OP, here, mind you. I've seen examples of his predicament before and it can be stressful and thankless ... I'm sure he appreciates the valuable knowledge you're sharing.
Glad to share, and thanks.

And I only feel for the OP a little bit in this case. Mainly because they're using commercial products and not paying for them, and the fact he's dodging questions. Paying for RHEL and Oracle would get this guy support, and with his level of stated inexperience/knowledge, ignoring those two easily accessible resources is plain foolish, especially for a company. Stuff like sshd_config is covered in detail in the Red Hat knowledgebase.

And he still hasn't/won't answer the question of how he got a job being a Linux administrator for a company with ~60 users, involving ERP and an Oracle database, when as he stated, he has no experience ("new to the Linux environment"). Seems odd that such a hire would have been made.
 
Old 04-19-2018, 01:24 PM   #18
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364

Rep: Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511
Quote:
Originally Posted by TB0ne View Post
Glad to share, and thanks.

And I only feel for the OP a little bit in this case. Mainly because they're using commercial products and not paying for them, and the fact he's dodging questions. Paying for RHEL and Oracle would get this guy support, and with his level of stated inexperience/knowledge, ignoring those two easily accessible resources is plain foolish, especially for a company. Stuff like sshd_config is covered in detail in the Red Hat knowledgebase.

And he still hasn't/won't answer the question of how he got a job being a Linux administrator for a company with ~60 users, involving ERP and an Oracle database, when as he stated, he has no experience ("new to the Linux environment"). Seems odd that such a hire would have been made.
Hey TB0ne ... I hear you.

My impression after reading through the OP's different posts is that he is a sysadmin for Windows and has recently inherited the task of taking care of this linux server by default. I'm also not sure the decision concerning his employer's compliance with any agreements they have / should have with RedHat and Oracle are under the OP's responsibility. He has stated that he will try to convince his management to strive towards compliance, but in the meantime he is stuck with a difficult task.

That's how I see it. I guess I'm giving the OP the benefit of the doubt, hence my feeling of sympathy for his situation.

... enough philosophizing ... ... Thanks again for all your help.

Cheers.

Last edited by Rickkkk; 04-19-2018 at 08:05 PM.
 
Old 04-19-2018, 07:15 PM   #19
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,340

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
In addition to all the good advice etc above, for the OP I'd add that a quick way to get an idea of how old the system is, is to run
Code:
cat /etc/issue
as root. That should give you the RHEL version, similar to "CentOS release 6.9 (Final)", except of course it will say RHEL instead.

Also try
Code:
ls -lt
in the root user's home dir ie /root, & look for
Code:
-rw-------. 1 root root  1621 Dec 14  2015 anaconda-ks.cfg
-rw-r--r--. 1 root root 44103 Dec 14  2015 install.log
-rw-r--r--. 1 root root  9360 Dec 14  2015 install.log.syslog
which generally* indicate the initial build date.
* - not guaranteed to be accurate, but usually the case.

@commenters: like Rickkkk, it sounds to me like the OP has been 'chosen' to do this because he's the nearest they have already.
It's not fun being in that position & I definitely sympathise.
 
1 members found this post helpful.
Old 04-20-2018, 02:56 AM   #20
susantha.tvslanka
LQ Newbie
 
Registered: Apr 2018
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Rickkkk View Post

So my understanding is that you need to grant console access to the 3rd party developer only. Is this correct ?
Yes

Quote:
Originally Posted by Rickkkk View Post

So in summary, my recommendations to you are:
[*]Create a new user account for your 3rd party developer. Although I am not a Red Hat user, this is usually done from the console while you are logged in as root, using the :
[root@linux-server ~]# useradd developer
[root@linux-server ~]# passwd developer
Changing password for user developer.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@linux-server ~]#

Quote:
Originally Posted by Rickkkk View Post
[*]You then need to add the appropriate ssh privileges for the new user by editing the sshd_config file on your server. If you are unsure of how to do this, let us know and perhaps a RHEL-using member here will chime in. Otherwise, I'll let you know how I do this on my Arch server - should be similar if not identical for RHEL.
In /etc/ssh/sshd_config file

Port 2222
AllowUsers developer
#Protocol 2,1
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
...

Quote:
Originally Posted by Rickkkk View Post
[*]You then have to give the new user account sudo privileges ... This is either done by editing the sudoers file and adding the appropriate lines for the new user account, or through a user group (often the wheel group) that is already identified and enabled (or that you will enable, usually by creating or uncommenting the already present lines) in the sudoers file.
In /etc/security/access.conf

# User "developer" should get access from all sources.
+ : developer : ALL
#
...

In /etc/sudoers

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
...



[root@linux-server ~]# usermod -aG wheel developer
[root@linux-server ~]# su developer -
[developer@linux-server ~]# groups
developer wheel

Quote:
Originally Posted by Rickkkk View Post
[*]You may also need to, acting as Oracle DBA, give the developer appropriate database administration rights within Oracle. I'll leave you to that, not being a DBA myself.
Third party developer is the DBA. So I don't have to worry about that

Quote:
Originally Posted by Rickkkk View Post
[*]One thing you should also do before your developer starts his work, is figure out how up-to-date or out-of-date your linux server is. As TB0ne mentioned, if no one has paid any attention to it for years, it may be in a less than optimal state. If you are going to invest further time (and money) in it with this developer, it would be important to start from a solid state.
Noted.


Quote:
Originally Posted by Rickkkk View Post
[*]In that vein, I will echo TB0ne's recommendation that you sort out the support issue with Red Hat. If you have a RHEL installation in good order on the server, it comes with support from Red Hat, since you are paying a licence fee. Having access to their expertise and support in a business production context such as yours is a requirement, in my opinion, and not just a "nice-to-have".
*** EDIT *** Same goes for Oracle support (ref. TB0ne)
Installation is valid and legit. Since I don't have any experience regarding Linux licencing, I thought the company have to pay additionally for a support agreement. Is my assumption incorrect?


Thank you very much for your support. However after these steps, developer user account still unable to access the console and when that account tries to connect using SSH (using PUTTY) after giving the password, I get an error saying "Server unexpectedly closed network connection". Did I miss any important steps (according to above)? Should I provide a debug log? Looking forward for your reply. Thanks again.
 
Old 04-20-2018, 03:17 AM   #21
susantha.tvslanka
LQ Newbie
 
Registered: Apr 2018
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Again, you need to PAY FOR SUPPORT. You are not only using Oracle but Red Hat enterprise, and BOTH of those things need to be paid for. And again, how did you get a job as an administrator for a production database server, when you say you have NO experience??
Installation is valid and legit. Since I don't have any experience regarding Linux licencing, I thought the company have to pay additionally for a support agreement. Is my assumption incorrect? I don't have to worry about Oracle since it is handled by third party.


Quote:
Originally Posted by TB0ne View Post
Again, you were directed to look at the ALLOWUSERS and DENYUSERS directives in your sshd_config file, and I even told you where it was. You apparently haven't done so, because in the other duplicate thread you opened (instead of actually providing the information here), you have incorrect syntax for that directive. Have you tried to comment that line out and restart SSH???
In /etc/ssh/sshd_config file

Port 2222
AllowUsers root oracle
#Protocol 2,1
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Can you please point out what is the incorrect syntax? (since I picked up the syntax from internet) and yes, I restarted the ssh service after the change. Also there is no DenyUsers in the said file.

Thank you very much for your support so far.

Last edited by susantha.tvslanka; 04-20-2018 at 03:33 AM.
 
Old 04-20-2018, 03:26 AM   #22
susantha.tvslanka
LQ Newbie
 
Registered: Apr 2018
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Rickkkk View Post
Hi again Susantha,

I just noticed the details rtmistler posted from another thread you apparently created.

Comments:

[*]Your sshd debug command refers to port 2223 while your sshd_config file specifies port 2222. Any reason for this ?

Don't know. It was setup like that. I want to change it to port 22, but probably later.


Quote:
Originally Posted by Rickkkk View Post
[*]Your sshd_config file already has the "oracle" user listed as allowed. If you can't log in, there must be another reason. Perhaps the account is deactivated ?

[root@linux-server ~]# su oracle
[oracle@linux-server ~]# whoami
oracle


Thanks.
 
Old 04-20-2018, 03:41 AM   #23
susantha.tvslanka
LQ Newbie
 
Registered: Apr 2018
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Glad to share, and thanks.

And I only feel for the OP a little bit in this case. Mainly because they're using commercial products and not paying for them, and the fact he's dodging questions. Paying for RHEL and Oracle would get this guy support, and with his level of stated inexperience/knowledge, ignoring those two easily accessible resources is plain foolish, especially for a company. Stuff like sshd_config is covered in detail in the Red Hat knowledgebase.

And he still hasn't/won't answer the question of how he got a job being a Linux administrator for a company with ~60 users, involving ERP and an Oracle database, when as he stated, he has no experience ("new to the Linux environment"). Seems odd that such a hire would have been made.
As I mentioned in a previous reply, there is no one to administrate this Linux server. Technically I am here as the network and Windows server systems administrator. But since there is no one to look after it, I have to do it Also both Red Hat and Oracle installations are legit. Since Oracle admin part handled by a third party I don't have to worry about that. Since I don't have any experience regarding Linux licencing, I thought the company have to pay additionally for a support agreement. Is my assumption incorrect?

Thanks.

Last edited by susantha.tvslanka; 04-20-2018 at 03:43 AM.
 
Old 04-20-2018, 09:05 AM   #24
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,482

Rep: Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939Reputation: 7939
Quote:
Originally Posted by susantha.tvslanka View Post
Installation is valid and legit. Since I don't have any experience regarding Linux licencing, I thought the company have to pay additionally for a support agreement. Is my assumption incorrect? I don't have to worry about Oracle since it is handled by third party.
Nothing in this sentence makes much sense. If you are paying for RHEL support, then you can call Red Hat support for help. That's it...if your installation is 'valid and legit', there should be no problems. Someone at your company has the licensing details and support contract info. If not, RHEL support can look it up easily. Again, INSTALLING RHEL is fine, but if you don't pay for it, you DO NOT GET updates/fixes/support/patches/etc....in short, your system gets unstable, insecure, and harder to manage from day one. There is NO POINT in using RHEL without paying for it, when you can use CentOS for free, and GET the patches and everything else. If you're self-support, no need to.

Oracle is a licensed product also, regardless of who it's 'handled' by. Again, SOMEONE has the support details...and if you're the new admin, you need to get them. Not paying for Oracle? Then stop where you are and load MySQL instead.
Quote:
In /etc/ssh/sshd_config file
Code:
Port 2222
AllowUsers root oracle
#Protocol 2,1
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Can you please point out what is the incorrect syntax? (since I picked up the syntax from internet) and yes, I restarted the ssh service after the change. Also there is no DenyUsers in the said file. Thank you very much for your support so far.
This is **NOT** the same sshd_config file you posted before, is it? Either you've heavily edited it, or one of these two is wrong...which is it? The previous file had an AllowUsers directive, and those directives were explained to you.

AGAIN: you claim your installation is 'valid and legit'...so call Red Hat support. If you are inexperienced, they can walk you through it; simple. You still don't say how you got the job of Linux administrator with zero Linux experience.

You ***DO NOT*** need to grant console access to anyone for Oracle use. Oracle can be installed via command-line, and SSH x forwarding can run X applications via a terminal connection. If your developers are saying this, they're wrong.
 
Old 04-20-2018, 10:19 AM   #25
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364

Rep: Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511
Hi susantha,

A couple of comments:
  • It looks like you set up the developer user - that's good.

  • I've never actively used the /etc/security/access.conf file for my own needs. If in your context it is a recommended best practice, I'll have to defer to either your own knowledge or to advice you can get from other sources.

  • For the issue of software agreements with RedHat and Oracle - no problem - that is your employer's concern. In answer to your question as to whether support should cost more than the standard licence fee you are paying for RedHat, I would be surprised, but it is best to verify with them how they handle it. They may have several different levels of support available at different price points. Linux is open source and free for anyone to use. When it costs anything at all, it is usually in the context of a business that needs to be able to rely on a certain level of standardized, supplier-delivered support, according to an SLA. So in a nutshell, if you're paying *anything* for linux, you are essentially paying for support.

  • For ssh, I wouldn't recommend changing the port to 22. That is the RFC defined port and known to all. For internal LAN use, choose any non-reserved port .. 2222 is fine. My point was that you seemed to be trying to connect to a client using port 2223 to your server which is listening on port 2222. This won't work. If you were using the command line to connect, for example, and you wanted the session to be for the "developer" user, the command would be:

    Code:
    ssh -p 2222 developer@xxx.xxx.xxx.xxx
    .... where the xxx's are your server's IP address. Since you're using puTTY, just make sure the appropriate port is specified (2222).

  • Also for ssh, I recommend you look at TB0ne's post from a couple of days back, where he explains the hierarchy of application of various statements in the sshd_config file. I learned some things reading that and it is important you understand them .. Certain statements have priority over others and can have the effect of preventing access to even the root user, as counter-intuitive as that may seem.

  • A general bit of advice I can give you until you are able to obtain formal support from RedHat : take a look at the Arch Linux Wiki (Arch is the linux version I use). It is known for containing very detailed information on quite a wide area of subjects, much of which is applicable to any other linux distro. For example, the entries on Security and User Management are quite extensive - you may find it to be a useful source of information, at least temporarily.

Hope you're managing to get by - let us know how you make out and don't hesitate to come back for help.

Cheers !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Login not working (root password I always use results in "Authentication failure") shawnparker2100 Linux - Newbie 2 08-14-2015 05:48 PM
MongooseIM + ODBC (MS SQL) - specific error: "user authentication failed" trevizeatl Linux - Server 0 08-11-2015 07:45 PM
psql: FATAL: IDENT authentication failed for user "manashi" Manashi Programming 2 03-16-2006 03:17 AM
user cannot log in "Authentication Failed" Fedora Core 4 clayharryman Linux - Security 8 08-04-2005 07:23 PM
psql: FATAL 1: IDENT authentication failed for user "postgres" linuxtesting2 Linux - General 3 06-16-2004 01:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration