Oracle Technologies Blog

By ASKM

RAC SSH setup / User equivalence

Posted by Srikrishna Murthy Annam on August 14, 2010

During the installation of Oracle RAC , OUI needs to copy files to and execute programs on the other nodes in the cluster. In order to allow OUI to do that, you must configure SSH to allow user equivalence. Establishing user equivalence with SSH provides a secure means of copying files and executing programs on other nodes in the cluster without requiring password prompts.

The first step is to generate public and private keys for SSH. There are two versions of the SSH protocol; version 1 uses RSA and version 2 uses DSA, so we will create both types of keys to ensure that SSH can use either version. The ssh-keygen program will generate public and private keys of either type depending upon the parameters passed to it.

From ORACLE DATABASE 11gR2, this process is automated in OUI itself. You can find the script “sshUserSetup.sh” in the 11gR2 grid media.

You can use this script for ssh setup in releases prior to 11gR2 RAC.

[oracle@rac1 ~]$ cd /tmp/askm/grid/sshsetup/
[oracle@rac1 sshsetup]$ ./sshUserSetup.sh -user oracle -hosts “rac1 rac2”

The output of this script is also logged into /tmp/sshUserSetup_2010-08-22-09-36-53.log
Hosts are rac1 rac2
user is oracle
Platform:- Linux
Checking if the remote hosts are reachable
PING rac1.localdomain (192.168.1.109) 56(84) bytes of data.
64 bytes from rac1.localdomain (192.168.1.109): icmp_seq=1 ttl=64 time=0.164 ms
64 bytes from rac1.localdomain (192.168.1.109): icmp_seq=2 ttl=64 time=0.051 ms
64 bytes from rac1.localdomain (192.168.1.109): icmp_seq=3 ttl=64 time=0.047 ms
64 bytes from rac1.localdomain (192.168.1.109): icmp_seq=4 ttl=64 time=0.045 ms
64 bytes from rac1.localdomain (192.168.1.109): icmp_seq=5 ttl=64 time=0.049 ms

— rac1.localdomain ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.045/0.071/0.164/0.046 ms
PING rac2.localdomain (192.168.1.110) 56(84) bytes of data.
64 bytes from rac2.localdomain (192.168.1.110): icmp_seq=1 ttl=64 time=0.442 ms
64 bytes from rac2.localdomain (192.168.1.110): icmp_seq=2 ttl=64 time=0.475 ms
64 bytes from rac2.localdomain (192.168.1.110): icmp_seq=3 ttl=64 time=0.339 ms
64 bytes from rac2.localdomain (192.168.1.110): icmp_seq=4 ttl=64 time=0.380 ms
64 bytes from rac2.localdomain (192.168.1.110): icmp_seq=5 ttl=64 time=0.283 ms

— rac2.localdomain ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.283/0.383/0.475/0.073 ms
Remote host reachability check succeeded.
The following hosts are reachable: rac1 rac2.
The following hosts are not reachable: .
All hosts are reachable. Proceeding further…
The script will setup SSH connectivity from the host rac1.localdomain to all
the remote hosts. After the script is executed, the user can use SSH to run
commands on the remote hosts or copy files between this host rac1.localdomain
and the remote hosts without being prompted for passwords or confirmations.

NOTE 1:
As part of the setup procedure, this script will use ssh and scp to copy
files between the local host and the remote hosts. Since the script does not
store passwords, you may be prompted for the passwords during the execution of
the script whenever ssh or scp is invoked.

NOTE 2:
AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE
directories.

Do you want to continue and let the script make the above mentioned changes (yes/no)?
yes

The user chose yes
Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type ‘yes’ or ‘no’ and then press enter. In case you press ‘yes’, you would need to enter the passphrase whenever the script executes ssh or scp.
The estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion.
Enter ‘yes’ or ‘no’.
yes

The user chose yes
Creating .ssh directory on local host, if not present already
Creating authorized_keys file on local host
Changing permissions on authorized_keys to 644 on local host
Creating known_hosts file on local host
Changing permissions on known_hosts to 644 on local host
Creating config file on local host
If a config file exists already at /home/oracle/.ssh/config, it would be backed up to /home/oracle/.ssh/config.backup.
Removing old private/public keys on local host
Running SSH keygen on local host
Enter passphrase (empty for no passphrase):  <ENTER>
Enter same passphrase again:  <ENTER>
Generating public/private rsa key pair.
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
06:74:f9:b0:91:8a:a3:19:76:aa:b0:e3:2c:ff:e4:8b oracle@rac1.localdomain
Creating .ssh directory and setting permissions on remote host rac1
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oracle. THIS IS AN SSH REQUIREMENT.
The script would create ~oracle/.ssh/config file on remote host rac1. If a config file exists already at ~oracle/.ssh/config, it would be backed up to ~oracle/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac1.
Warning: Permanently added ‘rac1,192.168.1.109’ (RSA) to the list of known hosts.
oracle@rac1’s password:      <ENTER RAC1 ORACLE USER PASSWORD>
Done with creating .ssh directory and setting permissions on remote host rac1.
Creating .ssh directory and setting permissions on remote host rac2
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oracle. THIS IS AN SSH REQUIREMENT.
The script would create ~oracle/.ssh/config file on remote host rac2. If a config file exists already at ~oracle/.ssh/config, it would be backed up to ~oracle/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac2.
Warning: Permanently added ‘rac2,192.168.1.110’ (RSA) to the list of known hosts.
oracle@rac2’s password:      <ENTER RAC2 ORACLE USER PASSWORD>
Done with creating .ssh directory and setting permissions on remote host rac2.
Copying local host public key to the remote host rac1
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac1.
oracle@rac1’s password:      <ENTER RAC1 ORACLE USER PASSWORD>
Done copying local host public key to the remote host rac1
Copying local host public key to the remote host rac2
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac2.
oracle@rac2’s password:      <ENTER RAC2 ORACLE USER PASSWORD>
Done copying local host public key to the remote host rac2
The script will run SSH on the remote machine rac1. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
The script will run SSH on the remote machine rac2. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
cat: /home/oracle/.ssh/known_hosts.tmp: No such file or directory
cat: /home/oracle/.ssh/authorized_keys.tmp: No such file or directory
SSH setup is complete.

————————————————————————
Verifying SSH setup
===================
The script will now run the date command on the remote nodes using ssh
to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,
THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR
PASSWORDS. If you see any output other than date or are prompted for the
password, ssh is not setup correctly and you will need to resolve the
issue and set up ssh again.
The possible causes for failure could be:
1. The server settings in /etc/ssh/sshd_config file do not allow ssh
for user oracle.
2. The server may have disabled public key based authentication.
3. The client public key on the server may be outdated.
4. ~oracle or ~oracle/.ssh on the remote host may not be owned by oracle.
5. User may not have passed -shared option for shared remote users or
may be passing the -shared option for non-shared remote users.
6. If there is output in addition to the date, but no password is asked,
it may be a security alert shown as part of company policy. Append the
additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.
————————————————————————
–rac1:–
Running /usr/bin/ssh -x -l oracle rac1 date to verify SSH connectivity has been setup from local host to rac1.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
The script will run SSH on the remote machine rac1. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
Sun Aug 22 09:39:35 IST 2010
————————————————————————
–rac2:–
Running /usr/bin/ssh -x -l oracle rac2 date to verify SSH connectivity has been setup from local host to rac2.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
The script will run SSH on the remote machine rac2. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.
Sun Aug 22 09:39:36 IST 2010
————————————————————————
SSH verification complete.
[oracle@rac1 sshsetup]$

Note : Password only 4 times
Note : Enter password carefully

Verification :
[oracle@rac1 sshsetup]$ ssh rac1 date;hostname
Sun Aug 14 09:41:33 IST 2010
rac1.localdomain
[oracle@rac1 sshsetup]$ ssh rac2 date;hostname
Sun Aug 14 09:41:39 IST 2010
rac1.localdomain
[oracle@rac1 sshsetup]$

1. ssh both public hostname
2. ssh both private hostname
3. ssh both public ip address
4. ssh both Private ip address

Screen shots showing how this is implemented in 11gR2 RAC ….

Hope it helps …

–SRI

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: