Linux 配置SSH互信步骤

在所有节点间配置ssh
在安装rac的多个步骤都需要从一个节点拷贝文件到其他节点中,这要求各个节点间互相访问不需要输入密码,否则安装就会失败。
这一步骤就是要配置ssh,使得rac的各个节点间不需要密码就可以互相访问。
 以下步骤要求在Oracle用户下执行:
Ø        在所有节点生成RSA和DSA Keys
过程需要回车几次。
Rac1中执行步骤如下:
[root@rac1 ~]# su - oracle
[oracle@rac1 ~]$ mkdir ~/.ssh
[oracle@rac1 ~]$ chmod 700 ~/.ssh
[oracle@rac1 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
f3:df:90:e7:a7:47:7b:47:52:b1:f0:09:07:39:1b:c7 oracle@rac1
[oracle@rac1 ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
8d:57:66:6c:77:9b:2a:1a:60:4e:18:6c:43:f3:15:3d oracle@rac1
在rac2中执行如下:
[root@rac2 ~]# su - oracle
[oracle@rac2 ~]$ mkdir ~/.ssh
[oracle@rac2 ~]$ chmod 700 ~/.ssh
[oracle@rac2 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
c8:93:83:8e:1f:51:0c:76:e7:42:75:a9:b0:12:04:f0 oracle@rac2
[oracle@rac2 ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
e1:56:2f:f8:22:df:af:b3:f9:94:e3:15:dc:17:30:5foracle@rac2
Ø        添加密钥信息到验证文件中
这一系列步骤只需要在其中一个节点执行就可以了(这里选择rac1):
首先生成一个验证文件(ssh登录时会读取这个文件的信息),用来存储各个密钥信息:
bash-3.00$ touch ~/.ssh/authorized_keys
把各个节点的密钥信息都放在上一步新建的验证文件中:
[oracle@rac1 ~]$ cd ~/.ssh
[oracle@rac1 .ssh]$ ssh rac1 cat ~/.ssh/id_rsa.pub >> authorized_keys
The authenticity of host 'rac1 (192.168.1.111)' can't be established.
RSA key fingerprint is e6:b8:99:04:5c:2a:42:a4:6b:18:6d:5d:69:59:b2:2e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac1,192.168.1.111' (RSA) to the list of known hosts.
oracle@rac1's password:
[oracle@rac1 .ssh]$ ssh rac2 cat ~/.ssh/id_rsa.pub >> authorized_keys
The authenticity of host 'rac2 (192.168.1.222)' can't be established.
RSA key fingerprint is e6:b8:99:04:5c:2a:42:a4:6b:18:6d:5d:69:59:b2:2e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac2,192.168.1.222' (RSA) to the list of known hosts.
oracle@rac2's password:
[oracle@rac1 .ssh]$ ssh rac1 cat ~/.ssh/id_dsa.pub >> authorized_keys
[oracle@rac1 .ssh]$ ssh rac2 cat ~/.ssh/id_dsa.pub >> authorized_keys
oracle@rac2's password:
Ø        在rac1把存储公钥信息的验证文件传送到rac2上
[oracle@rac1 .ssh]$ pwd
/home/oracle/.ssh
[oracle@rac1 .ssh]$ scp authorized_keys rac2:`pwd`
oracle@rac2's password:
authorized_keys                                                                                  100% 1644    1.6KB/s  00:00  
 
Ø        设置验证文件的权限
在每一个节点执行:
bash-3.00$ chmod 600 ~/.ssh/authorized_keys
Ø        启用用户一致性
在你要运行OUI的节点以oracle用户运行(这里选择rac1):
[oracle@rac1 .ssh]$ exec /usr/bin/ssh-agent $SHELL
[oracle@rac1 .ssh]$ ssh-add
Identity added: /home/oracle/.ssh/id_rsa (/home/oracle/.ssh/id_rsa)
Identity added: /home/oracle/.ssh/id_dsa (/home/oracle/.ssh/id_dsa)
Ø        验证ssh配置是否正确
以oracle用户在所有节点分别执行:
ssh rac1 date
ssh rac2 date
ssh rac1-priv date
ssh rac2-priv date
如果不需要输入密码就可以输出时间,说明ssh验证配置成功。必须把以上命令在两个节点都运行,每一个命令在第一次执行的时候需要输入yes。
如果不运行这些命令,即使ssh验证已经配好,安装clusterware的时候也会出现错误:
The specified nodes are not clusterable
因为,配好ssh后,还需要在第一次访问时输入yes,才算是真正的无障碍访问其他服务器。

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/20981.html