Removing 90 days password expiration and loosen password restriction on Exadata Machine

After ResecureMachine Step in Exadata run, password now are required to be reset/changed and must be complex and this password will expired in 90 days.

To avoid having to reset the passwords and also to avoid the password expiration interval of 90 days, you must run the following command for each user on the system including root (i.e. root, celladmin, cellmonitor on cells and root, oracle on DB nodes): 

chage -d 14000 -E -1 -m 0 -M -1 <username>

To loosen the password restrictions and lessen complexity, login to each node as root and modify /etc/pam.d/system-auth by modifying the string "min=disabled,disabled,16,12,8" to be "min=1,1,1,1,1". After that, reset the root password to whatever value you'd like (suggestion: welcome1 :). 

- wdanyant -

How to change user to root when using oracle user on Exadata

How to change user to root when using oracle user on Exadata?
When trying to su to "root" user as "oracle", eventhough the password is correct, always showing incorrect password.

[oracle@server ~]$ su - root
Password:
su: incorrect password
[oracle@server ~]$

This is because of the "oracle" user is not a member of wheel group and this was done purposely by the Oracle Exadata Team.

If we want to do su to "root" user, just try solution below:

Add the oracle user to the wheel group.

usermod -G wheel oracle

- wdanyant -

How to change PAM settings that have tightened in Oracle Linux 5.7

How to change PAM settings that have tightened in Oracle Linux 5.7?


First deployment of Exadata 11.2.3.1.X and later, the Oracle Linux have been upgraded to version 5.7 which was having a little bit different locking mechanism or we can just say "the PAM settings tightened in OEL 5.7".


What does it means PAM settings tightened in OEL 5.7 ? 
When try to login (can be as root) with a wrong password, the user root account will be locked up until 10 minutes / 600 seconds before we can try to login again (Connection retries must wait 10 minutes / 600 seconds between retries can occur).


How do we change that PAM / security settings in OEL 5.7?

In modern Linux distributions, the default security mechanism governing SSH connections is the PAM service.
This service mainly uses one configuration file to drive the wait time and lockout value when too many incorrect connections are attempted: 
/etc/pam.d/sshd


Basically one line is used to define these timeouts/lockouts:
auth required pam_tally2.so deny=5 onerr=fail lock_time=600


The values to note are:
auth required pam_tally2.so deny=5 onerr=fail lock_time=600

The value set in the "deny" parameter governs how many attempts can be made to login using a user account before that account is locked. In this case it is set to 5 retries.
The value set in "lock_time" is the parameter which governs how long one must wait before attempting to log in again. This value appears to be set much higher than in the past- which is a result of "hardening" the SSH login process, and to discourage attempts to "guess" the password.

Both values can be altered. Setting them as follows causes the behavior noted:  
auth required pam_tally2.so deny=3 onerr=fail lock_time=10
In this case- you would only have 3 attempts to login using an account before that account is locked.
Also- the time you will be forced to wait before attempting another login is now reduced from 10 minutes (600 seconds) to 10 seconds.

After making changes to this file, the changes will only become effective when the following command is issued by the "root" user: 
# services sshd restart


- wdanyant -