Some Oracle documentation wants you to setup ssh with no password and no passphrase.
This is not really something your security admin will like.
First, using DSA, which is deprecated and disabled by default in OpenSSH 7.0, is a pretty dump instruction
OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.
The two recommended key types are rsa and ecdsa. You should not use dsa
Second, ssh-key without passphrase is a huge security hole. If one get access to your key, for instance on a disk, a tape backup, etc, she’ll get access as oracle to all your database nodes. Best practice to use a pass phrase. Depending on your setup, it is sufficient to get ssh keys at installation/upgrade time only.
Third, providing interactive ssh-login as Oracle is against best practice for tracability. You better use SUDO or another elevation mechanism.
First, use a recommended algoryhtm and key-length.
ssh-keygen -t rsa -b 4096
ssh-keygen -t ecdsa -b 521
Then, use a passphrase
Enter passphrase (empty for no passphrase): ***
Enter same passphrase again: ***
Then, when creating you authorized key, disable unwanted features, like pseudo terminal
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----
ecdsa-sha2-nistp521 AAAABBBB/cccc== [email protected]
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding ecdsa-sha2-nistp521 AAAABBBB/cccc== [email protected]
Also, you could deactivate some features on the client config
This could also be done one the server sshd_config, but if you are not the sysadmin, don’t mess up with it.
Because you have a passphrase, you need to use an agent before starting your installation. Because pseudo-terminal (no-pty) is disabled, you cannot get a prompt. Because x11 is disabled (no-x11-forwarding), you cannot start an xterm
$ ssh srv002
$ eval $(ssh-agent)
Agent pid 12345
$ ps -fp 12345
UID PID PPID CMD
oracle 123451 0 ssh-agent
$ ssh-add ~/.ssh/id_ecdsa
Enter passphrase for ~/.ssh/id_ecdsa:
Identity added: ~/.ssh/id_ecdsa (~/.ssh/id_ecdsa)
$ ssh -t srv002
PTY allocation request failed on channel 0
$ ssh -Y srv002 aixterm
X11 forwarding request failed on channel 0
1363-008 X server named was not found.
$ ssh srv002 date
Fri Jul 13 12:50:22 CEST 2018
Those are basic steps to make your ssh less unsecure.