2.4.7.1 Configuring SSH on Cluster Member Nodes
To configure SSH, you must first create RSA and DSA keys on each cluster node, and then copy the keys from all cluster node members into an authorized keys file on each node. Note that the SSH files must be readable only by root and by the oracle user.
SSH ignores a private key file if it is accessible by others
To configure SSH, complete the following steps:
Create RSA and DSA keys on each node: Complete the following steps on each node:
-
Log in as the oracle user.
-
If necessary, create the .ssh directory in the oracle user's home directory and set the correct permissions on it:
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ chmod 700
-
Enter the following commands to generate an RSA key for version 2 of the SSH protocol:
$ /usr/bin/ssh-keygen -t rsa
At the prompts:
This command writes the public key to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file. Never distribute the private key
to anyone.
-
Enter the following commands to generate a DSA key for version 2 of the SSH protocol:
$ /usr/bin/ssh-keygen -t dsa
At the prompts:
This command writes the public key to the ~/.ssh/id_dsa.pub file and the private key to the ~/.ssh/id_dsa file. Never distribute the private key to anyone.
Add keys to an authorized key file: Complete the following steps:
-
On the local node, determine if you have an authorized key file (~/.ssh/authorized_keys). If the authorized key file already exists, then proceed to step 2. Otherwise, enter the following commands:
$ touch ~/.ssh/authorized_keys
$ cd ~/.ssh
$ ls
You should see the id_dsa.pub and id_rsa.pub keys that you have created.
-
Using SSH, copy the contents of the ~/.ssh/id_rsa.pub and ~/.ssh/id_dsa.pub files to the file ~/.ssh/authorized_keys,
and provide the oracle user password as prompted. This process is illustrated in the following syntax example with a two-node cluster, with nodes node1 and node2,
where the oracle user path is /home/oracle:
[oracle@node1 .ssh]$ ssh node1 cat /home/oracle/.ssh/id_rsa.pub >> authorized_keys
oracle@node1's password:
[oracle@node1 .ssh]$ ssh node1 cat /home/oracle/.ssh/id_dsa.pub >> authorized_keys
[oracle@node1 .ssh$ ssh node2 cat /home/oracle/.ssh/id_rsa.pub >> authorized_keys
oracle@node2's password:
[oracle@node1 .ssh$ ssh node2 cat /home/oracle/.ssh/id_dsa.pub >>authorized_keys
oracle@node2's password:
Note:
Repeat this process for each node in the cluster.
-
Use SCP (Secure Copy) or SFTP (Secure FTP) to copy the authorized_keys file to the oracle user .ssh directory on a remote node.
The following example is with SCP, on a node called node2, where the oracle user path is /home/oracle:
[oracle@node1 .ssh]scp authorized_keys node2:/home/oracle/.ssh/
-
Repeat step 2 and 3 for each cluster node member. When you have added keys from each cluster node member to the authorized_keys file on the last node you want to have as a cluster node member, then use
SCP to copy the complete authorized_keys file back to each cluster node member
Note:
the
oracle user's
/.ssh/authorized_keys file on every node must contain the contents from all of the
/.ssh/id_rsa.pub and
/.ssh/id_dsa.pub files
that you generated on all cluster nodes.
-
Change the permissions on the oracle user's /.ssh/authorized_keys file on all cluster nodes:
$ chmod 600 ~/.ssh/authorized_keys
At this point, if you use ssh to log in to or run a command on another node, you are prompted for the pass phrase that you specified when you created the DSA key.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
我的修改如下:
-----------------------------------------------------------------------------------------------
rac1节点
[root@rac1 ~]# id oracle
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba)
[root@rac1 ~]# su - oracle
[oracle@rac1 ~]$ mkdir ~/.ssh
[oracle@rac1 ~]$ chmod 700 ~/.ssh
[oracle@rac1 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
40:10:36:40:03:e6:54:b5:4c:ad:31:5b:b5:08:b5:5d oracle@rac1.localdomain
[oracle@rac1 ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
7a:9c:b9:81:25:a5:3f:fa:b1:c5:da:bb:08:00:77:d4 oracle@rac1.localdomain
[oracle@rac1 ~]$
-------------------------------------------------------------------------------
rac2节点
[root@rac2 ~]# id oracle
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba)
[root@rac2 ~]# su - oracle
[oracle@rac2 ~]$ mkdir ~/.ssh
[oracle@rac2 ~]$ chmod 700 ~/.ssh
[oracle@rac2 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
da:74:7b:f5:60:12:22:15:ad:44:83:4f:19:da:c7:cf oracle@rac2.localdomain
[oracle@rac2 ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
1f:ba:cc:93:44:09:ca:bb:03:a4:1f:61:2d:b2:b4:29 oracle@rac2.localdomain
[oracle@rac2 ~]$
--------------------------------------------------------------------------------------
返回rac1节点继续
[oracle@rac1 ~]$ cd .ssh/
[oracle@rac1 .ssh]$ ll
total 16
-rw------- 1 oracle oinstall 668 Mar 21 21:48 id_dsa
-rw-r--r-- 1 oracle oinstall 613 Mar 21 21:48 id_dsa.pub
-rw------- 1 oracle oinstall 1675 Mar 21 21:47 id_rsa
-rw-r--r-- 1 oracle oinstall 405 Mar 21 21:47 id_rsa.pub
[oracle@rac1 .ssh]$ cat id_dsa.pub>>authorized_keys
[oracle@rac1 .ssh]$ cat id_rsa.pub>>authorized_keys
[oracle@rac1 .ssh]$ ssh rac2 cat /home/oracle/.ssh/id_rsa.pub >>/home/oracle/.ssh/authorized_keys
The authenticity of host 'rac2 (192.168.1.153)' can't be established.
RSA key fingerprint is de:2a:4c:d0:b2:20:88:4c:a2:72:24:11:50:4b:d6:74.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac2,192.168.1.153' (RSA) to the list of known hosts.
oracle@rac2's password:
[oracle@rac1 .ssh]$ ssh rac2 cat /home/oracle/.ssh/id_dsa.pub >>/home/oracle/.ssh/authorized_keys
oracle@rac2's password:
[oracle@rac1 .ssh]$ scp ~/.ssh/authorized_keys rac2:~/.ssh/authorized_keys
oracle@rac2's password:
authorized_keys 100% 2036 2.0KB/s 00:00
[oracle@rac1 .ssh]$
------------------------------------------------------------------------------------------------------------------------
最后验证ssh对等性:
rac1节点:
[oracle@rac1 .ssh]$ ssh rac1 date
Fri Mar 21 22:06:25 CST 2014
[oracle@rac1 .ssh]$ ssh rac2 date
Fri Mar 21 22:06:31 CST 2014
[oracle@rac1 .ssh]$ ssh rac2-priv date
Fri Mar 21 22:06:42 CST 2014
[oracle@rac1 .ssh]$ ssh rac1-priv date
Fri Mar 21 22:06:46 CST 2014
[oracle@rac1 .ssh]$ ssh rac1.localdomain date
Fri Mar 21 22:06:55 CST 2014
[oracle@rac1 .ssh]$ ssh rac2.localdomain date
Fri Mar 21 22:07:00 CST 2014
[oracle@rac1 .ssh]$ ssh rac1-priv.localdomain date
Fri Mar 21 22:07:06 CST 2014
[oracle@rac1 .ssh]$ ssh rac2-priv.localdomain date
Fri Mar 21 22:07:12 CST 2014
[oracle@rac1 .ssh]$
-----------------------------------------------------------------------
rac2节点:
[oracle@rac2 ~]$ ssh rac1 date
Fri Mar 21 22:09:09 CST 2014
[oracle@rac2 ~]$ ssh rac2 date
Fri Mar 21 22:09:15 CST 2014
[oracle@rac2 ~]$ ssh rac1-priv date
Fri Mar 21 22:09:24 CST 2014
[oracle@rac2 ~]$ ssh rac2-priv date
Fri Mar 21 22:09:28 CST 2014
[oracle@rac2 ~]$ ssh rac1.localdomain date
Fri Mar 21 22:09:38 CST 2014
[oracle@rac2 ~]$ ssh rac2.localdomain date
Fri Mar 21 22:09:42 CST 2014
[oracle@rac2 ~]$ ssh rac1-priv.localdomain date
Fri Mar 21 22:09:50 CST 2014
[oracle@rac2 ~]$ ssh rac2-priv.localdomain date
Fri Mar 21 22:09:55 CST 2014
[oracle@rac2 ~]$