Steps to install ssh tunnel for Oracle authentication:

$Id$

First, identify the client and server.  The client will be requesting SQL
from the server.  It may be the case that both client and server are
Oracle servers.  It is important to differentiate between the two.

##########
# Client #
##########

1.  Add user "tushuser" to the unix system.  The user home directory should
be "/home/tushuser."

	# useradd -m -d /home/tushuser tushuser

2.  Create ssh RSA keys.

	# su - tushuser
	$ mkdir .ssh
	$ chmod 700 .ssh
	$ cd .ssh
	$ ssh-keygen
	Generating public/private rsa key pair.
	Enter file in which to save the key (/home/tushuser/.ssh/id_rsa): <enter>
	Enter passphrase (empty for no passphrase): <enter>
	Enter same passphrase again: <enter>
	Your identification has been saved in /home/tushuser/id_rsa.
	Your public key has been saved in /home/tushuser/id_rsa.pub.
	$

3.  Install tushuser's cronjob to keep the tunnel up.  It is important to edit
the tushuser_tunnel.sh script to make it applicable for your tunnel.  This needs
to be done for each server this client needs to connect to.

	# cp /tmp/tushuser_tunnel.sh /usr/local/bin
	# vi /usr/local/bin/tushuser_tunnel.sh
	# chown root /usr/local/bin/tushuser_tunnel.sh
	# chmod a+rx /usr/local/bin/tushuser_tunnel.sh
	# crontab -u tushuser -e			(LINUX)
	# crontab -e tushuser			(SOLARIS)
		* * * * * /usr/local/bin/tushuser_tunnel.sh >/dev/null 2>&1
	#

4.  Change the tushuser's user shell to /bin/tush.  It is important that you use
the version of tush compiled for your OS.  It has been tested and works under
Solaris and Linux.

	# cp /tmp/tush /bin
	# chown root:root /bin/tush
	# chmod 4555 /bin/tush
	# vi /etc/passwd
		change tushuser's shell to /bin/tush
	#

5.  Make a backup of the tnsnames.ora file.  Edit the tnsnames.ora
file for the SID that you are setting the pipe up for.  Here are the
changes you should make.

	############
	# Original #
	############

	ORCL =
	  (DESCRIPTION =
	    (ADDRESS = (PROTOCOL = TCP)(HOST = 1.2.3.4)(PORT = 1521))
	    (CONNECT_DATA =
	      (SERVER = DEDICATED)
	      (SERVICE_NAME = orcl)
	    )
	  )

	#######
	# New #
	#######

	# tunnel to 1.2.3.4:1521
	ORCL =
	  (DESCRIPTION =
	    (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 11521))
	    (CONNECT_DATA =
	      (SERVER = DEDICATED)
	      (SERVICE_NAME = orcl)
	    )
	  )

Notice that the hostname changed to "localhost" and the port changed
to the clientport we setup in tushuser_tunnel.sh.  It is important that
this port number matches with the tushuser_tunnel.sh setup.  Any port is
ok to use as long as it is above 1024 and is not already in use by
another process.  It is also important to add the comment in the
tnsnames.ora file specifying what the connection is really going to
be.

##########
# Server #
##########

1.  Add user "tushuser" to the unix system.  The user home directory should
be "/home/tushuser."

	# useradd -m -d /home/tushuser tushuser

2.  Copy the contents of id_rsa.pub to /home/tushuser/.ssh/authorized_keys

	# su - tushuser
	$ mkdir .ssh
	$ chmod 700 .ssh
	$ cd .ssh
	$ vi authorized_keys        # it will look something like this
		ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAoKFepLDdV+I3Eh6pPhFvNBMX8n9c/H87278gn+sl+lnUr+hFL5O2pnCx5naYv//61XXbLSAt9ppv/O9SSHHGSIz9OsxX/Qf7QtbC64DaE9drm8jU1+SwU0oCXveJQMmuaIswcWrFHkBjX8DElBKgEfw8c+v2rEAehxHkKAbqyEE= tushuser@1.2.3.4
	$

3.  Change the tushuser's user shell to /bin/tush.  It is important that you use
the version of tush compiled for your OS.  It has been tested and works under
Solaris and Linux.

	# cp /tmp/tush /bin
	# chown root:root /bin/tush
	# chmod 4555 /bin/tush
	# vi /etc/passwd
		change tushuser's shell to /bin/tush
	#

###########
# Testing #
###########

Once both the client and server have been setup, you should be able to
look at the process list on the client and see the ssh session up and
running.  Remember, the connection will not come up until both the
client and server are configured.  Once they are both configured, the
cronjob runs every minute, on the minute.  You may have to wait upto
60 seconds for this connection to come up.  If it has been more then
two minutes and the connection is not up, there is something wrong.
This will look something like this:

	# ps -aef | grep ssh
	   tushuser  3967  3965  1 11:35:12 ?        0:00 ssh -L 11521:localhost:1521 -i /home/tushuser/.ssh/id_rsa 1.2.3.4

Now you can try "tnsping" or using sqlplus to connect to the database from the
client.

	# su - oracle
	$ tnsping ORCL
	$ sqlplus USER@ORCL

Lastly, make sure that the client machine will restart the ssh tunnel.
You can do this by killing the current tunnel and waiting to see if it
comes back up in a minute.

	# ps -aef | grep ssh
	   tushuser  3967  3965  1 11:35:12 ?        0:00 ssh -L 11521:localhost:1521 -i /home/tushuser/.ssh/id_rsa 1.2.3.4
	# kill 3967
	# ps -aef | grep ssh
	# sleep 60
	# ps -aef | grep ssh
	   tushuser  3972  3965  1 11:38:12 ?        0:00 ssh -L 11521:localhost:1521 -i /home/tushuser/.ssh/id_rsa 1.2.3.4

When the tunnel is down, you should no longer be able to connect using
tnsping or sqlplus.  This should also be tested to ensure that the
tunnel is being used.
