How to Configure User Equivalence (Key-Based Authentication) on Linux
Installation
The SSH service should already be installed, but if it is not, install it from a Yum repository using the following command.
# yum install openssh-server
Turn on the SSH service and make sure it starts automatically on reboot.
# service sshd start # chkconfig sshd on
The SSH service is configured using the "/etc/ssh/sshd_config" file. Configuration changes have to be followed by a restart of the service.
# service sshd restart # # or # service sshd reload
Firewall
The server must have the TCP port 22 open. This can be achieved by adding the following entry to the type of firewall script described here.
# Open port for NTP server. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
SELinux
If you are using SELinux, you will need to consider the following points.
The SELinux booleans associated with the SSH service are displayed using the
getsebool
command.# getsebool -a | grep ssh allow_ssh_keysign --> off fenced_can_ssh --> off ssh_chroot_rw_homedirs --> off ssh_sysadm_login --> off #
The
setsebool
command is used to set a specific boolean value.# setsebool ssh_sysadm_login on # setsebool ssh_sysadm_login off
More information on SELinux can be found here.
Manual User Equivalence (Key-Based Authentication) Configuration
Assuming we have a two node cluster (rac1.localdomain, rac2.localdomain), log in as the "oracle" user and perform the following tasks on each node.
su - oracle mkdir ~/.ssh chmod 700 ~/.ssh /usr/bin/ssh-keygen -t rsa # Accept the default settings.
The RSA public key is written to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file.
Log in as the "oracle" user on rac1.localdomain, generate an "authorized_keys" file and copy it to rac2.localdomainusing the following commands.
su - oracle cd ~/.ssh cat id_rsa.pub >> authorized_keys scp authorized_keys rac2.localdomain:/home/oracle/.ssh/
Next, log in as the "oracle" user on rac2.localdomain and perform the following commands.
su - oracle cd ~/.ssh cat id_rsa.pub >> authorized_keys scp authorized_keys rac1.localdomain:/home/oracle/.ssh/
The "authorized_keys" file on both servers now contains the public keys generated on all nodes.
To enable SSH user equivalency on the cluster member nodes issue the following commands on each node.
ssh rac1 date ssh rac2 date ssh rac1.localdomain date ssh rac2.localdomain date exec /usr/bin/ssh-agent $SHELL /usr/bin/ssh-add
You should now be able to SSH and SCP between servers without entering passwords.
sshUserSetup.sh (Oracle Method)
The Oracle 11gR2 grid and database media includes a "sshsetup" directory containing a "sshUserSetup.sh" file. Running this file with no parameter shows the usage information.
$ cd /path/to/grid/media/sshsetup $ ./sshUserSetup.sh Please specify a valid and existing cluster configuration file. Either user name or host information is missing Usage ./sshUserSetup.sh -user <user name> [ -hosts "<space separated hostlist>" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ] [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase] $
If we pass in the basic parameters it will configure user equivalence for us.
$ ./sshUserSetup.sh -user oracle -hosts "rac1 rac2" -noPromptPassphrase The output of this script is also logged into /tmp/sshUserSetup_2011-10-01-20-01-06.log Hosts are rac1 rac2 user is oracle Platform:- Linux Checking if the remote hosts are reachable PING rac1.localdomain (192.168.0.101) 56(84) bytes of data. 64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=2 ttl=64 time=0.017 ms 64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=3 ttl=64 time=0.017 ms 64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=4 ttl=64 time=0.019 ms 64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=5 ttl=64 time=0.018 ms --- rac1.localdomain ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 0.017/0.017/0.019/0.004 ms PING rac2.localdomain (192.168.0.102) 56(84) bytes of data. 64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=1 ttl=64 time=0.110 ms 64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=2 ttl=64 time=0.265 ms 64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=3 ttl=64 time=0.254 ms 64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=4 ttl=64 time=0.101 ms 64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=5 ttl=64 time=0.321 ms --- rac2.localdomain ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4000ms rtt min/avg/max/mdev = 0.109/0.255/0.331/0.081 ms Remote host reachability check succeeded. The following hosts are reachable: rac1 rac2. The following hosts are not reachable: . All hosts are reachable. Proceeding further... firsthost rac1 numhosts 2 <span style="color: #ff0000;">The script will setup SSH connectivity from the host rac1 to all</span> <span style="color: #ff0000;">the remote hosts</span>. After the script is executed, the user can use SSH to run commands on the remote hosts or copy files between this host rac1 and the remote hosts without being prompted for passwords or confirmations. NOTE 1: As part of the setup procedure, this script will use ssh and scp to copy files between the local host and the remote hosts. Since the script does not store passwords, you may be prompted for the passwords during the execution of the script whenever ssh or scp is invoked. NOTE 2: AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE directories. Do you want to continue and let the script make the above mentioned changes (yes/no)? <span style="color: #ff0000;">yes</span> The user chose yes User chose to skip passphrase related questions. Creating .ssh directory on local host, if not present already Creating authorized_keys file on local host Changing permissions on authorized_keys to 644 on local host Creating known_hosts file on local host Changing permissions on known_hosts to 644 on local host Creating config file on local host If a config file exists already at /home/oracle/.ssh/config, it would be backed up to /home/oracle/.ssh/config.backup. Removing old private/public keys on local host Running SSH keygen on local host with empty passphrase Generating public/private rsa key pair. Your identification has been saved in /home/oracle/.ssh/id_rsa. Your public key has been saved in /home/oracle/.ssh/id_rsa.pub. The key fingerprint is: de:e3:66:fa:16:e8:6e:36:fd:c5:e3:77:75:07:9a:b0 oracle@rac1 Creating .ssh directory and setting permissions on remote host rac1 THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oracle. THIS IS AN SSH REQUIREMENT. The script would create ~oracle/.ssh/config file on remote host rac1. If a config file exists already at ~oracle/.ssh/config, it would be backed up to ~oracle/.ssh/config.backup. The user may be prompted for a password here since the script would be running SSH on host rac1. Warning: Permanently added 'rac1,192.168.0.101' (RSA) to the list of known hosts. oracle@rac1's password: Done with creating .ssh directory and setting permissions on remote host rac1. Creating .ssh directory and setting permissions on remote host rac2 THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oracle. THIS IS AN SSH REQUIREMENT. The script would create ~oracle/.ssh/config file on remote host rac2. If a config file exists already at ~oracle/.ssh/config, it would be backed up to ~oracle/.ssh/config.backup. The user may be prompted for a password here since the script would be running SSH on host rac2. Warning: Permanently added 'rac2,192.168.0.102' (RSA) to the list of known hosts. oracle@rac2's password: Done with creating .ssh directory and setting permissions on remote host rac2. Copying local host public key to the remote host rac1 The user may be prompted for a password or passphrase here since the script would be using SCP for host rac1. oracle@rac1's password: Done copying local host public key to the remote host rac1 Copying local host public key to the remote host rac2 The user may be prompted for a password or passphrase here since the script would be using SCP for host rac2. oracle@rac2's password: Done copying local host public key to the remote host rac2 cat: /home/oracle/.ssh/known_hosts.tmp: No such file or directory cat: /home/oracle/.ssh/authorized_keys.tmp: No such file or directory SSH setup is complete. ------------------------------------------------------------------------ Verifying SSH setup =================== The script will now run the date command on the remote nodes using ssh to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP, THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR PASSWORDS. If you see any output other than date or are prompted for the password, ssh is not setup correctly and you will need to resolve the issue and set up ssh again. The possible causes for failure could be: 1. The server settings in /etc/ssh/sshd_config file do not allow ssh for user oracle. 2. The server may have disabled public key based authentication. 3. The client public key on the server may be outdated. 4. ~oracle or ~oracle/.ssh on the remote host may not be owned by oracle. 5. User may not have passed -shared option for shared remote users or may be passing the -shared option for non-shared remote users. 6. If there is output in addition to the date, but no password is asked, it may be a security alert shown as part of company policy. Append the additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file. ------------------------------------------------------------------------ --rac1:-- Running /usr/bin/ssh -x -l oracle rac1 date to verify SSH connectivity has been setup from local host to rac1. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR. Wed Dec 22 15:40:10 GMT 2010 ------------------------------------------------------------------------ --rac2:-- Running /usr/bin/ssh -x -l oracle rac2 date to verify SSH connectivity has been setup from local host to rac2. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR. Wed Dec 22 15:40:10 GMT 2010 ------------------------------------------------------------------------ SSH verification complete. $
You should now be able to SSH and SCP between servers without entering passwords.
Security
Host level security can be controlled using the Linux firewall, as shown previously.
User and group level security can be controlled by editing the "/etc/ssh/sshd_config", adding the
AllowUsers
or AllowGroups
entries.AllowUsers user1 user2 AllowGroups developers
Remember to restart or reload the service after making any changes.
# service sshd reload
Comments
Post a Comment