OCM_Session7_6_配置oracle用户ssh对等性

六、配置oracle用户ssh对等性

这个OCM要求配置。

参考官方文档：http://docs.oracle.com/cd/B19306_01/install.102/b14203/prelinux.htm

2.4.7.1 Configuring SSH on Cluster Member Nodes

To configure SSH, you must first create RSA and DSA keys on each cluster node, and then copy the keys from all cluster node members into an authorized keys file on each node. Note that the SSH files must be readable only by root and by the oracle user. SSH ignores a private key file if it is accessible by others

To configure SSH, complete the following steps:

Create RSA and DSA keys on each node: Complete the following steps on each node:

1. Log in as the oracle user.

2. If necessary, create the .ssh directory in the oracle user's home directory and set the correct permissions on it:

   $ mkdir ~/.ssh

    

   $ chmod 700 ~/.ssh

    

   $ chmod 700

3. Enter the following commands to generate an RSA key for version 2 of the SSH protocol:

   $ /usr/bin/ssh-keygen -t rsa

   At the prompts:

   • Accept the default location for the key file.

   • Enter and confirm a pass phrase that is different from the oracle user's password.

   This command writes the public key to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file. Never distribute the private key to anyone.

4. Enter the following commands to generate a DSA key for version 2 of the SSH protocol:

   $ /usr/bin/ssh-keygen -t dsa

   At the prompts:

   • Accept the default location for the key file

   • Enter and confirm a pass phrase that is different from the oracle user's password

   This command writes the public key to the ~/.ssh/id_dsa.pub file and the private key to the ~/.ssh/id_dsa file. Never distribute the private key to anyone.

Add keys to an authorized key file: Complete the following steps:

1. On the local node, determine if you have an authorized key file (~/.ssh/authorized_keys). If the authorized key file already exists, then proceed to step 2. Otherwise, enter the following commands:

   $ touch ~/.ssh/authorized_keys

    

   $ cd ~/.ssh

    

   $ ls

   You should see the id_dsa.pub and id_rsa.pub keys that you have created.

2. Using SSH, copy the contents of the ~/.ssh/id_rsa.pub and ~/.ssh/id_dsa.pub files to the file ~/.ssh/authorized_keys, and provide the oracle user password as prompted. This process is illustrated in the following syntax example with a two-node cluster, with nodes node1 and node2, where the oracle user path is /home/oracle:

   [oracle@node1 .ssh]$ ssh node1 cat /home/oracle/.ssh/id_rsa.pub >> authorized_keys

    

   oracle@node1's password:

    

   [oracle@node1 .ssh]$ ssh node1 cat /home/oracle/.ssh/id_dsa.pub >> authorized_keys

    

   [oracle@node1 .ssh$ ssh node2 cat /home/oracle/.ssh/id_rsa.pub >> authorized_keys

    

   oracle@node2's password:

    

   [oracle@node1 .ssh$ ssh node2 cat /home/oracle/.ssh/id_dsa.pub >>authorized_keys

    

   oracle@node2's password:

    

   Note:

   Repeat this process for each node in the cluster.

3. Use SCP (Secure Copy) or SFTP (Secure FTP) to copy the authorized_keys file to the oracle user .ssh directory on a remote node. The following example is with SCP, on a node called node2, where the oracle user path is /home/oracle:

   [oracle@node1 .ssh]scp authorized_keys node2:/home/oracle/.ssh/

4. Repeat step 2 and 3 for each cluster node member. When you have added keys from each cluster node member to the authorized_keys file on the last node you want to have as a cluster node member, then use SCP to copy the complete authorized_keys file back to each cluster node member

   Note:

   the oracle user's /.ssh/authorized_keys file on every node must contain the contents from all of the /.ssh/id_rsa.pub and /.ssh/id_dsa.pub files that you generated on all cluster nodes.

5. Change the permissions on the oracle user's /.ssh/authorized_keys file on all cluster nodes:

   $ chmod 600 ~/.ssh/authorized_keys

   At this point, if you use ssh to log in to or run a command on another node, you are prompted for the pass phrase that you specified when you created the DSA key.

   
   
   
   

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

我的修改如下：

-----------------------------------------------------------------------------------------------

rac1节点

[root@rac1 ~]# id oracle

uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba)

[root@rac1 ~]# su - oracle

[oracle@rac1 ~]$ mkdir ~/.ssh

[oracle@rac1 ~]$  chmod 700 ~/.ssh

[oracle@rac1 ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/oracle/.ssh/id_rsa.

Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.

The key fingerprint is:

40:10:36:40:03:e6:54:b5:4c:ad:31:5b:b5:08:b5:5d oracle@rac1.localdomain

[oracle@rac1 ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/oracle/.ssh/id_dsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/oracle/.ssh/id_dsa.

Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.

The key fingerprint is:

7a:9c:b9:81:25:a5:3f:fa:b1:c5:da:bb:08:00:77:d4 oracle@rac1.localdomain

[oracle@rac1 ~]$ 

-------------------------------------------------------------------------------

rac2节点

[root@rac2 ~]# id oracle

uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba)

[root@rac2 ~]# su - oracle

[oracle@rac2 ~]$ mkdir ~/.ssh

[oracle@rac2 ~]$  chmod 700 ~/.ssh

[oracle@rac2 ~]$  ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/oracle/.ssh/id_rsa.

Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.

The key fingerprint is:

da:74:7b:f5:60:12:22:15:ad:44:83:4f:19:da:c7:cf oracle@rac2.localdomain

[oracle@rac2 ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/oracle/.ssh/id_dsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/oracle/.ssh/id_dsa.

Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.

The key fingerprint is:

1f:ba:cc:93:44:09:ca:bb:03:a4:1f:61:2d:b2:b4:29 oracle@rac2.localdomain

[oracle@rac2 ~]$ 

--------------------------------------------------------------------------------------

返回rac1节点继续

[oracle@rac1 ~]$ cd .ssh/

[oracle@rac1 .ssh]$ ll

total 16

-rw------- 1 oracle oinstall  668 Mar 21 21:48 id_dsa

-rw-r--r-- 1 oracle oinstall  613 Mar 21 21:48 id_dsa.pub

-rw------- 1 oracle oinstall 1675 Mar 21 21:47 id_rsa

-rw-r--r-- 1 oracle oinstall  405 Mar 21 21:47 id_rsa.pub

[oracle@rac1 .ssh]$ cat id_dsa.pub>>authorized_keys

[oracle@rac1 .ssh]$ cat id_rsa.pub>>authorized_keys

[oracle@rac1 .ssh]$ ssh rac2 cat /home/oracle/.ssh/id_rsa.pub >>/home/oracle/.ssh/authorized_keys

The authenticity of host 'rac2 (192.168.1.153)' can't be established.

RSA key fingerprint is de:2a:4c:d0:b2:20:88:4c:a2:72:24:11:50:4b:d6:74.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'rac2,192.168.1.153' (RSA) to the list of known hosts.

oracle@rac2's password: 

[oracle@rac1 .ssh]$ ssh rac2 cat /home/oracle/.ssh/id_dsa.pub >>/home/oracle/.ssh/authorized_keys

oracle@rac2's password: 

[oracle@rac1 .ssh]$ scp ~/.ssh/authorized_keys rac2:~/.ssh/authorized_keys 

oracle@rac2's password: 

authorized_keys                                                  100% 2036     2.0KB/s   00:00    

[oracle@rac1 .ssh]$ 

------------------------------------------------------------------------------------------------------------------------

最后验证ssh对等性：

rac1节点：

[oracle@rac1 .ssh]$ ssh rac1 date

Fri Mar 21 22:06:25 CST 2014

[oracle@rac1 .ssh]$ ssh rac2 date

Fri Mar 21 22:06:31 CST 2014

[oracle@rac1 .ssh]$ ssh rac2-priv date

Fri Mar 21 22:06:42 CST 2014

[oracle@rac1 .ssh]$ ssh rac1-priv date

Fri Mar 21 22:06:46 CST 2014

[oracle@rac1 .ssh]$ ssh rac1.localdomain date

Fri Mar 21 22:06:55 CST 2014

[oracle@rac1 .ssh]$ ssh rac2.localdomain date

Fri Mar 21 22:07:00 CST 2014

[oracle@rac1 .ssh]$ ssh rac1-priv.localdomain date

Fri Mar 21 22:07:06 CST 2014

[oracle@rac1 .ssh]$ ssh rac2-priv.localdomain date

Fri Mar 21 22:07:12 CST 2014

[oracle@rac1 .ssh]$ 

-----------------------------------------------------------------------

rac2节点：

[oracle@rac2 ~]$ ssh rac1 date

Fri Mar 21 22:09:09 CST 2014

[oracle@rac2 ~]$ ssh rac2 date

Fri Mar 21 22:09:15 CST 2014

[oracle@rac2 ~]$ ssh rac1-priv date

Fri Mar 21 22:09:24 CST 2014

[oracle@rac2 ~]$ ssh rac2-priv date

Fri Mar 21 22:09:28 CST 2014

[oracle@rac2 ~]$ ssh rac1.localdomain date

Fri Mar 21 22:09:38 CST 2014

[oracle@rac2 ~]$ ssh rac2.localdomain date

Fri Mar 21 22:09:42 CST 2014

[oracle@rac2 ~]$ ssh rac1-priv.localdomain date

Fri Mar 21 22:09:50 CST 2014

[oracle@rac2 ~]$ ssh rac2-priv.localdomain date

Fri Mar 21 22:09:55 CST 2014

[oracle@rac2 ~]$