不管是在Oracle的GRID安装包,还是DB安装包里都有个脚本(sshUserSetup.sh),用于配置机器之间的SSH互信。配置互信,不仅仅在安装RAC需要配置。有时候我们需要配置ssh互信的时候,用这个脚本就很方便,不用敲那么命令了,直接用于脚本即可。
1 配置SSH
sshUserSetup.sh在Oracle11g grid盘的sshsetup目录下,这里主要介绍用法。在脚本里,最上面有介绍用法:
Usage sshUserSetup.sh -user <user name> [ -hosts /"<space separated hostlist>/" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ] [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase]
如:eg. sshUserSetup.sh -hosts "host1 host2" -user njerath -advanced
-hosts 表示:需要配置互信的服务器ip
-user 表示:用于远程登录到服务器上的用户名
-advanced 表示:hosts里的主机,每两个主机之间都是互信的。如果不加-advanced,例如:本机是HOST-A
在本机执行./sshUserSetup.sh -user aime -hosts A B C。那么就是HOST-A->A, HOST-A->B, HOST-A->C 的互信关系。A,B,C之间是不互信的。
注意:本地主机对远程主机的SSH互信,是单向的。不管加不加-advanced,如果A主机SSH 到主机HOST-A,那么还是要输入密码。如果想本地主机和远程之间SSH互信,那么把本地主机IP加入到host中即可。 -hosts "HOST-A host1 host2"
1.1 具体例子
这里用户都是root
1.2 本地主机ip
[root@localhost sshsetup]# ifconfig eth0 Link encap:Ethernet HWaddr 08:00:27:5C:99:99 inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0
1.2.1 本地主机向所有远程服务器互信,远程主机之间不互信
没有加 -advanced
[root@localhost sshsetup]# ./sshUserSetup.sh -user root -hosts '192.168.1.3 192.168.1.4'The output of this script is also logged into /tmp/sshUserSetup_2017-02-22-15-40-10.log Hosts are 192.168.1.3 192.168.1.4 user is root Platform:- Linux Checking if the remote hosts are reachable PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data. 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=1.77 ms 64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=1.03 ms 64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.829 ms 64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=1.13 ms 64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.986 ms --- 192.168.1.3 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 0.829/1.149/1.770/0.325 ms PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=1.65 ms 64 bytes from 192.168.1.4: icmp_seq=2 ttl=64 time=0.760 ms 64 bytes from 192.168.1.4: icmp_seq=3 ttl=64 time=1.00 ms 64 bytes from 192.168.1.4: icmp_seq=4 ttl=64 time=0.967 ms 64 bytes from 192.168.1.4: icmp_seq=5 ttl=64 time=0.861 ms --- 192.168.1.4 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4008ms rtt min/avg/max/mdev = 0.760/1.049/1.659/0.317 ms Remote host reachability check succeeded. The following hosts are reachable: 192.168.1.3 192.168.1.4. The following hosts are not reachable: . All hosts are reachable. Proceeding further... firsthost 192.168.1.3 numhosts 2 The script will setup SSH connectivity from the host localhost.localdomain to all the remote hosts. After the script is executed, the user can use SSH to run commands on the remote hosts or copy files between this host localhost.localdomain and the remote hosts without being prompted for passwords or confirmations. NOTE 1: As part of the setup procedure, this script will use ssh and scp to copy files between the local host and the remote hosts. Since the script does not store passwords, you may be prompted for the passwords during the execution of the script whenever ssh or scp is invoked. NOTE 2: AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEGES TO THESE directories. Do you want to continue and let the script make the above mentioned changes (yes/no)? yes The user chose yes Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. no The estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion. Enter 'yes' or 'no'. yes The user chose yes Creating .ssh directory on local host, if not present already Creating authorized_keys file on local host Changing permissions on authorized_keys to 644 on local host Creating known_hosts file on local host Changing permissions on known_hosts to 644 on local host Creating config file on local host If a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup. Removing old private/public keys on local host Running SSH keygen on local host Enter passphrase (empty for no passphrase): Enter same passphrase again: Generating public/private rsa key pair. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 38:1d:89:e5:3f:3e:4a:9d:1f:3f:e1:87:e7:41:a6:06 root@localhost.localdomain The key's randomart image is: +--[ RSA 1024]----+ | . | | + . | | . + | | o o | | o S oE o | | . o o. = | | . = .+ + | | . . o.o+ +| | . . .=.| +-----------------+ Creating .ssh directory and setting permissions on remote host 192.168.1.3 THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT. The script would create ~root/.ssh/config file on remote host 192.168.1.3. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup. The user may be prompted for a password here since the script would be running SSH on host 192.168.1.3. Warning: Permanently added '192.168.1.3' (RSA) to the list of known hosts. root@192.168.1.3's password: Done with creating .ssh directory and setting permissions on remote host 192.168.1.3. Creating .ssh directory and setting permissions on remote host 192.168.1.4 THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT. The script would create ~root/.ssh/config file on remote host 192.168.1.4. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup. The user may be prompted for a password here since the script would be running SSH on host 192.168.1.4. Warning: Permanently added '192.168.1.4' (RSA) to the list of known hosts. root@192.168.1.4's password: Done with creating .ssh directory and setting permissions on remote host 192.168.1.4. Copying local host public key to the remote host 192.168.1.3 The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.3. root@192.168.1.3's password: --输入远程服务器对应用户的密码 Done copying local host public key to the remote host 192.168.1.3 Copying local host public key to the remote host 192.168.1.4 The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.4. root@192.168.1.4's password: Done copying local host public key to the remote host 192.168.1.4 The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. SSH setup is complete. ------------------------------------------------------------------------ Verifying SSH setup =================== The script will now run the date command on the remote nodes using ssh to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP, THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR PASSWORDS. If you see any output other than date or are prompted for the password, ssh is not setup correctly and you will need to resolve the issue and set up ssh again. The possible causes for failure could be: 1. The server settings in /etc/ssh/sshd_config file do not allow ssh for user root. 2. The server may have disabled public key based authentication. 3. The client public key on the server may be outdated. 4. ~root or ~root/.ssh on the remote host may not be owned by root. 5. User may not have passed -shared option for shared remote users or may be passing the -shared option for non-shared remote users. 6. If there is output in addition to the date, but no password is asked, it may be a security alert shown as part of company policy. Append the additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file. ------------------------------------------------------------------------ --192.168.1.3:-- Running /usr/bin/ssh -x -l root 192.168.1.3 date to verify SSH connectivity has been setup from local host to 192.168.1.3. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR. The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. Wed Feb 22 15:45:12 CST 2017 ------------------------------------------------------------------------ --192.168.1.4:-- Running /usr/bin/ssh -x -l root 192.168.1.4 date to verify SSH connectivity has been setup from local host to 192.168.1.4. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR. The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. Wed Feb 22 15:48:02 CST 2017 ------------------------------------------------------------------------ SSH verification complete.
1.2.2 验证
1.2.2.1 本机对所有远程服务器单向SSH
[root@localhost sshsetup]# ifconfig eth0 Link encap:Ethernet HWaddr 08:00:27:5C:99:99 inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0 [root@localhost sshsetup]# ssh 192.168.1.3 date Wed Feb 22 15:47:09 CST 2017 [root@localhost sshsetup]# ssh 192.168.1.4 date Wed Feb 22 15:50:02 CST 2017
1.2.2.2 远程服务器之间验证
[root@web ~]# ifconfig eth0 Link encap:Ethernet HWaddr 40:8D:5C:E5:AD:08 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0 [root@web ~]# ssh 192.168.1.3 date root@192.168.1.3's password:
可以看到,需要输入密码。
1.3 配置所有远程主机之间的SSH互信
[root@localhost sshsetup]# ./sshUserSetup.sh -user root -hosts '192.168.1.3 192.168.1.4' -advancedThe output of this script is also logged into /tmp/sshUserSetup_2017-02-22-15-46-13.log Hosts are 192.168.1.3 192.168.1.4 user is root Platform:- Linux Checking if the remote hosts are reachable PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data. 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.858 ms 64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=1.01 ms 64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.945 ms 64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.994 ms 64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.948 ms --- 192.168.1.3 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 0.858/0.952/1.016/0.057 ms PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data. 64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.823 ms 64 bytes from 192.168.1.4: icmp_seq=2 ttl=64 time=0.918 ms 64 bytes from 192.168.1.4: icmp_seq=3 ttl=64 time=1.02 ms 64 bytes from 192.168.1.4: icmp_seq=4 ttl=64 time=0.807 ms 64 bytes from 192.168.1.4: icmp_seq=5 ttl=64 time=1.01 ms --- 192.168.1.4 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 0.807/0.918/1.023/0.092 ms Remote host reachability check succeeded. The following hosts are reachable: 192.168.1.3 192.168.1.4. The following hosts are not reachable: . All hosts are reachable. Proceeding further... firsthost 192.168.1.3 numhosts 2 The script will setup SSH connectivity from the host localhost.localdomain to all the remote hosts. After the script is executed, the user can use SSH to run commands on the remote hosts or copy files between this host localhost.localdomain and the remote hosts without being prompted for passwords or confirmations. NOTE 1: As part of the setup procedure, this script will use ssh and scp to copy files between the local host and the remote hosts. Since the script does not store passwords, you may be prompted for the passwords during the execution of the script whenever ssh or scp is invoked. NOTE 2: AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEGES TO THESE directories. Do you want to continue and let the script make the above mentioned changes (yes/no)? yes The user chose yes Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. no The estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion. Enter 'yes' or 'no'. yes The user chose yes The files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys. Press 'yes', 'no' or 'change' yes The user chose yes Creating .ssh directory on local host, if not present already Creating authorized_keys file on local host Changing permissions on authorized_keys to 644 on local host Creating known_hosts file on local host Changing permissions on known_hosts to 644 on local host Creating config file on local host If a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup. Removing old private/public keys on local host Running SSH keygen on local host Enter passphrase (empty for no passphrase): Enter same passphrase again: Generating public/private rsa key pair. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: f5:fd:97:37:c6:83:50:a3:31:d0:f6:94:45:33:50:e8 root@localhost.localdomain The key's randomart image is: +--[ RSA 1024]----+ | .. .B* | | .o + o| | oo+o | | . .=E. | | S o. . | | . o..| | . *+| | . =| | | +-----------------+ Creating .ssh directory and setting permissions on remote host 192.168.1.3 THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT. The script would create ~root/.ssh/config file on remote host 192.168.1.3. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup. The user may be prompted for a password here since the script would be running SSH on host 192.168.1.3. Warning: Permanently added '192.168.1.3' (RSA) to the list of known hosts. root@192.168.1.3's password: Done with creating .ssh directory and setting permissions on remote host 192.168.1.3. Creating .ssh directory and setting permissions on remote host 192.168.1.4 THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT. The script would create ~root/.ssh/config file on remote host 192.168.1.4. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup. The user may be prompted for a password here since the script would be running SSH on host 192.168.1.4. Warning: Permanently added '192.168.1.4' (RSA) to the list of known hosts. root@192.168.1.4's password: Done with creating .ssh directory and setting permissions on remote host 192.168.1.4. Copying local host public key to the remote host 192.168.1.3 The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.3. root@192.168.1.3's password: Done copying local host public key to the remote host 192.168.1.3 Copying local host public key to the remote host 192.168.1.4 The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.4. root@192.168.1.4's password: Done copying local host public key to the remote host 192.168.1.4 Creating keys on remote host 192.168.1.3 if they do not exist already. This is required to setup SSH on host 192.168.1.3. Creating keys on remote host 192.168.1.4 if they do not exist already. This is required to setup SSH on host 192.168.1.4. Generating public/private rsa key pair. Your identification has been saved in .ssh/id_rsa. Your public key has been saved in .ssh/id_rsa.pub. The key fingerprint is: 88:b1:d4:49:1e:df:ea:f5:d6:c9:27:a4:a1:8b:6c:c4 root@web The key's randomart image is: +--[ RSA 1024]----+ | o | | + + . | | o + . . | | . + . . | | o ..S . . . | | .E. o * . | | .. . + = .| | ... o o | | .o . | +-----------------+ Updating authorized_keys file on remote host 192.168.1.3 Updating known_hosts file on remote host 192.168.1.3 The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. Updating authorized_keys file on remote host 192.168.1.4 Updating known_hosts file on remote host 192.168.1.4 The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. SSH setup is complete. ------------------------------------------------------------------------ Verifying SSH setup =================== The script will now run the date command on the remote nodes using ssh to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP, THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR PASSWORDS. If you see any output other than date or are prompted for the password, ssh is not setup correctly and you will need to resolve the issue and set up ssh again. The possible causes for failure could be: 1. The server settings in /etc/ssh/sshd_config file do not allow ssh for user root. 2. The server may have disabled public key based authentication. 3. The client public key on the server may be outdated. 4. ~root or ~root/.ssh on the remote host may not be owned by root. 5. User may not have passed -shared option for shared remote users or may be passing the -shared option for non-shared remote users. 6. If there is output in addition to the date, but no password is asked, it may be a security alert shown as part of company policy. Append the additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file. ------------------------------------------------------------------------ --192.168.1.3:-- Running /usr/bin/ssh -x -l root 192.168.1.3 date to verify SSH connectivity has been setup from local host to 192.168.1.3. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR. The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. Wed Feb 22 15:50:58 CST 2017 ------------------------------------------------------------------------ --192.168.1.4:-- Running /usr/bin/ssh -x -l root 192.168.1.4 date to verify SSH connectivity has been setup from local host to 192.168.1.4. IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR. The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase. Wed Feb 22 15:53:48 CST 2017 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Verifying SSH connectivity has been setup from 192.168.1.3 to 192.168.1.3 IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Wed Feb 22 15:50:59 CST 2017 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Verifying SSH connectivity has been setup from 192.168.1.3 to 192.168.1.4 IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Wed Feb 22 15:53:49 CST 2017 ------------------------------------------------------------------------ -Verification from complete- SSH verification complete.
1.3.1 验证
1.3.1.1 本机向远程主机SSH
[root@localhost sshsetup]# ifconfig eth0 Link encap:Ethernet HWaddr 08:00:27:5C:99:99 inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0 [root@localhost sshsetup]# ssh 192.168.1.4 date Wed Feb 22 15:54:37 CST 2017 [root@localhost sshsetup]# ssh 192.168.1.3 date Wed Feb 22 15:51:51 CST 2017
1.3.1.2 远程主机之间SSH互信
---主机192.168.1.4
[root@web ~]# ifconfig eth0 Link encap:Ethernet HWaddr 40:8D:5C:E5:AD:08 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255. [root@web ~]# ssh 192.168.1.3 date 2017年 02月 22日 星期三 15:52:32 CST
--主机192.168.1.3
[root@dg2 ~]# ifconfig eth0 Link encap:Ethernet HWaddr 40:8D:5C:E4:69:4B inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 [root@dg2 ~]# ssh 192.168.1.4 date Wed Feb 22 16:01:49 CST 2017
转载自:http://www.cndba.cn/Expect-le/article/1766
本文转自奔跑在路上博客51CTO博客,原文链接http://blog.51cto.com/qiangsh/1963202如需转载请自行联系原作者
qianghong000
