不管是在Oracle的GRID安装包,还是DB安装包里都有个脚本(sshUserSetup.sh),用于配置机器之间的SSH互信。配置互信,不仅仅在安装RAC需要配置。有时候我们需要配置ssh互信的时候,用这个脚本就很方便,不用敲那么命令了,直接用于脚本即可。
1配置SSH
sshUserSetup.sh在Oracle11g grid盘的sshsetup目录下,这里主要介绍用法。在脚本里,最上面有介绍用法:
UsagesshUserSetup.sh-user<username>[-hosts/"<spaceseparatedhostlist>/"|-hostfile<absolutepathofclusterconfigurationfile>][-advanced][-verify][-exverify][-logfile<desiredabsolutepathoflogfile>][-confirm][-shared][-help][-usePassphrase][-noPromptPassphrase]
如:eg. sshUserSetup.sh -hosts "host1 host2" -user njerath -advanced
-hosts表示:需要配置互信的服务器ip
-advanced表示:hosts里的主机,每两个主机之间都是互信的。如果不加-advanced,例如:本机是HOST-A
在本机执行./sshUserSetup.sh -user aime -hosts A B C。那么就是HOST-A->A,HOST-A->B,HOST-A->C的互信关系。A,B,C之间是不互信的。
注意:本地主机对远程主机的SSH互信,是单向的。不管加不加-advanced,如果A主机SSH到主机HOST-A,那么还是要输入密码。如果想本地主机和远程之间SSH互信,那么把本地主机IP加入到host中即可。-hosts "HOST-A host1 host2"
1.1 具体例子
这里用户都是root
1.2 本地主机ip
[root@localhostsshsetup]#ifconfig eth0Linkencap:EthernetHWaddr08:00:27:5C:99:99 inetaddr:192.168.1.99Bcast:192.168.1.255Mask:255.255.255.0
1.2.1本地主机向所有远程服务器互信,远程主机之间不互信
没有加-advanced
[root@localhostsshsetup]#./sshUserSetup.sh-userroot-hosts'192.168.1.3192.168.1.4'Theoutputofthisscriptisalsologgedinto/tmp/sshUserSetup_2017-02-22-15-40-10.log Hostsare192.168.1.3192.168.1.4 userisroot Platform:-Linux Checkingiftheremotehostsarereachable PING192.168.1.3(192.168.1.3)56(84)bytesofdata. 64bytesfrom192.168.1.3:icmp_seq=1ttl=64time=1.77ms 64bytesfrom192.168.1.3:icmp_seq=2ttl=64time=1.03ms 64bytesfrom192.168.1.3:icmp_seq=3ttl=64time=0.829ms 64bytesfrom192.168.1.3:icmp_seq=4ttl=64time=1.13ms 64bytesfrom192.168.1.3:icmp_seq=5ttl=64time=0.986ms ---192.168.1.3pingstatistics--- 5packetstransmitted,5received,0%packetloss,time4007ms rttmin/avg/max/mdev=0.829/1.149/1.770/0.325ms PING192.168.1.4(192.168.1.4)56(84)bytesofdata. 64bytesfrom192.168.1.4:icmp_seq=1ttl=64time=1.65ms 64bytesfrom192.168.1.4:icmp_seq=2ttl=64time=0.760ms 64bytesfrom192.168.1.4:icmp_seq=3ttl=64time=1.00ms 64bytesfrom192.168.1.4:icmp_seq=4ttl=64time=0.967ms 64bytesfrom192.168.1.4:icmp_seq=5ttl=64time=0.861ms ---192.168.1.4pingstatistics--- 5packetstransmitted,time4008ms rttmin/avg/max/mdev=0.760/1.049/1.659/0.317ms Remotehostreachabilitychecksucceeded. Thefollowinghostsarereachable:192.168.1.3192.168.1.4. Thefollowinghostsarenotreachable:. Allhostsarereachable.Proceedingfurther... firsthost192.168.1.3 numhosts2 ThescriptwillsetupSSHconnectivityfromthehostlocalhost.localdomaintoall theremotehosts.Afterthescriptisexecuted,theusercanuseSSHtorun commandsontheremotehostsorcopyfilesbetweenthishostlocalhost.localdomain andtheremotehostswithoutbeingpromptedforpasswordsorconfirmations. NOTE1: Aspartofthesetupprocedure,thisscriptwillusesshandscptocopy filesbetweenthelocalhostandtheremotehosts.Sincethescriptdoesnot storepasswords,youmaybepromptedforthepasswordsduringtheexecutionof thescriptwheneveRSShorscpisinvoked. NOTE2: ASPERSSHREQUIREMENTS,THISSCRIPTWILLSECURETHEUSERHOMEDIRECTORY ANDTHE.sshDIRECTORYBYREVOKINGGROUPANDWORLDWRITEPRIVILEGESTOTHESE directories. Doyouwanttocontinueandletthescriptmaketheabovementionedchanges(yes/no)? yes Theuserchoseyes Pleasespecifyifyouwanttospecifyapassphrasefortheprivatekeythisscriptwillcreateforthelocalhost.PassphraseisusedtoencrypttheprivatekeyandmakesSSHmuchmoresecure.Type'yes'or'no'andthenpressenter.Incaseyoupress'yes',youwouldneedtoenterthepassphrasewheneverthescriptexecutessshorscp.no Theestimatednumberoftimestheuserwouldbepromptedforapassphraseis4.Inaddition,iftheprivate-publicfilesarealsonewlycreated,theuserwouldhavetospecifythepassphraSEOnoneadditionaloccasion. Enter'yes'or'no'. yes Theuserchoseyes Creating.sshdirectoryonlocalhost,ifnotpresentalready Creatingauthorized_keysfileonlocalhost Changingpermissionsonauthorized_keysto644onlocalhost Creatingknown_hostsfileonlocalhost Changingpermissionsonknown_hoststo644onlocalhost Creatingconfigfileonlocalhost Ifaconfigfileexistsalreadyat/root/.ssh/config,itwouldbebackedupto/root/.ssh/config.backup. Removingoldprivate/publickeysonlocalhost RunningSSHkeygenonlocalhost Enterpassphrase(emptyfornopassphrase): Entersamepassphraseagain: Generatingpublic/privatersakeypair. Youridentificationhasbeensavedin/root/.ssh/id_rsa. Yourpublickeyhasbeensavedin/root/.ssh/id_rsa.pub. Thekeyfingerprintis: 38:1d:89:e5:3f:3e:4a:9d:1f:3f:e1:87:e7:41:a6:06root@localhost.localdomain Thekey'srandomartimageis: +--[RSA1024]----+ |.| |+.| |.+| |oo| |oSoEo| |.oo.=| |.=.++| |..o.o++| |...=.| +-----------------+ Creating.sshdirectoryandsettingpermissionsonremotehost192.168.1.3 THESCRIPTWOULDALSOBEREVOKINGWRITEPERMISSIONSFORgroupANDothersONTHEHOMEDIRECTORYFORroot.THISISANSSHREQUIREMENT. Thescriptwouldcreate~root/.ssh/configfileonremotehost192.168.1.3.Ifaconfigfileexistsalreadyat~root/.ssh/config,itwouldbebackedupto~root/.ssh/config.backup. TheusermaybepromptedforapasswordheresincethescriptwouldberunningSSHonhost192.168.1.3. Warning:Permanentlyadded'192.168.1.3'(RSA)tothelistofknownhosts. root@192.168.1.3'spassword: Donewithcreating.sshdirectoryandsettingpermissionsonremotehost192.168.1.3. Creating.sshdirectoryandsettingpermissionsonremotehost192.168.1.4 THESCRIPTWOULDALSOBEREVOKINGWRITEPERMISSIONSFORgroupANDothersONTHEHOMEDIRECTORYFORroot.THISISANSSHREQUIREMENT. Thescriptwouldcreate~root/.ssh/configfileonremotehost192.168.1.4.Ifaconfigfileexistsalreadyat~root/.ssh/config,itwouldbebackedupto~root/.ssh/config.backup. TheusermaybepromptedforapasswordheresincethescriptwouldberunningSSHonhost192.168.1.4. Warning:Permanentlyadded'192.168.1.4'(RSA)tothelistofknownhosts. root@192.168.1.4'spassword: Donewithcreating.sshdirectoryandsettingpermissionsonremotehost192.168.1.4. Copyinglocalhostpublickeytotheremotehost192.168.1.3 TheusermaybepromptedforapasswordorpassphraseheresincethescriptwouldbeusingSCPforhost192.168.1.3. root@192.168.1.3'spassword:--输入远程服务器对应用户的密码 Donecopyinglocalhostpublickeytotheremotehost192.168.1.3 Copyinglocalhostpublickeytotheremotehost192.168.1.4 TheusermaybepromptedforapasswordorpassphraseheresincethescriptwouldbeusingSCPforhost192.168.1.4. root@192.168.1.4'spassword: Donecopyinglocalhostpublickeytotheremotehost192.168.1.4 ThescriptwillrunSSHontheremotemachine192.168.1.3.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. ThescriptwillrunSSHontheremotemachine192.168.1.4.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. SSHsetupiscomplete. ------------------------------------------------------------------------ VerifyingSSHsetup =================== Thescriptwillnowrunthedatecommandontheremotenodesusingssh toverifyifsshissetupcorrectly.IFTHESETUPISCORRECTLYSETUP,THERESHOULDBENOOUTPUTOTHERTHANTHEDATEANDSSHSHOULDNOTASKFOR PASSWORDS.Ifyouseeanyoutputotherthandateorarepromptedforthe password,sshisnotsetupcorrectlyandyouwillneedtoresolvethe issueandsetupsshagain. Thepossiblecausesforfailurecouldbe: 1.Theserversettingsin/etc/ssh/sshd_configfiledonotallowssh foruserroot. 2.Theservermayhavedisabledpublickeybasedauthentication. 3.Theclientpublickeyontheservermaybeoutdated. 4.~rootor~root/.sshontheremotehostmaynotbeownedbyroot. 5.Usermaynothavepassed-sharedoptionforsharedremoteusersor maybepassingthe-sharedoptionfornon-sharedremoteusers. 6.Ifthereisoutputinadditiontothedate,butnopasswordisasked,itmaybeasecurityalertshownaspartofcompanypolicy.Appendthe additionaltexttothe<OMSHOME>/sysman/prov/resources/ignoreMessages.txtfile. ------------------------------------------------------------------------ --192.168.1.3:-- Running/usr/bin/ssh-x-lroot192.168.1.3datetoverifySSHconnectivityhasbeensetupfromlocalhostto192.168.1.3. IFYOUSEEANYOTHEROUTPUTBESIDESTHEOUTPUTOFTHEDATECOMMANDORIFYOUAREPROMPTEDFORAPASSWORDHERE,ITMEANSSSHSETUPHASNOTBEENSUCCESSFUL.PleasenotethatbeingpromptedforapassphrasemaybeOKbutbeingpromptedforapasswordisERROR. ThescriptwillrunSSHontheremotemachine192.168.1.3.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. WedFeb2215:45:12CST2017 ------------------------------------------------------------------------ --192.168.1.4:-- Running/usr/bin/ssh-x-lroot192.168.1.4datetoverifySSHconnectivityhasbeensetupfromlocalhostto192.168.1.4. IFYOUSEEANYOTHEROUTPUTBESIDESTHEOUTPUTOFTHEDATECOMMANDORIFYOUAREPROMPTEDFORAPASSWORDHERE,ITMEANSSSHSETUPHASNOTBEENSUCCESSFUL.PleasenotethatbeingpromptedforapassphrasemaybeOKbutbeingpromptedforapasswordisERROR. ThescriptwillrunSSHontheremotemachine192.168.1.4.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. WedFeb2215:48:02CST2017 ------------------------------------------------------------------------ SSHverificationcomplete.
1.2.2验证
1.2.2.1本机对所有远程服务器单向SSH
[root@localhostsshsetup]#ifconfig eth0Linkencap:EthernetHWaddr08:00:27:5C:99:99 inetaddr:192.168.1.99Bcast:192.168.1.255Mask:255.255.255.0 [root@localhostsshsetup]#ssh192.168.1.3date WedFeb2215:47:09CST2017 [root@localhostsshsetup]#ssh192.168.1.4date WedFeb2215:50:02CST2017
1.2.2.2远程服务器之间验证
[root@web~]#ifconfig eth0Linkencap:EthernetHWaddr40:8D:5C:E5:AD:08 inetaddr:192.168.1.4Bcast:192.168.1.255Mask:255.255.255.0 [root@web~]#ssh192.168.1.3date root@192.168.1.3'spassword:
可以看到,需要输入密码。
1.3 配置所有远程主机之间的SSH互信
[root@localhostsshsetup]#./sshUserSetup.sh-userroot-hosts'192.168.1.3192.168.1.4'-advancedTheoutputofthisscriptisalsologgedinto/tmp/sshUserSetup_2017-02-22-15-46-13.log Hostsare192.168.1.3192.168.1.4 userisroot Platform:-Linux Checkingiftheremotehostsarereachable PING192.168.1.3(192.168.1.3)56(84)bytesofdata. 64bytesfrom192.168.1.3:icmp_seq=1ttl=64time=0.858ms 64bytesfrom192.168.1.3:icmp_seq=2ttl=64time=1.01ms 64bytesfrom192.168.1.3:icmp_seq=3ttl=64time=0.945ms 64bytesfrom192.168.1.3:icmp_seq=4ttl=64time=0.994ms 64bytesfrom192.168.1.3:icmp_seq=5ttl=64time=0.948ms ---192.168.1.3pingstatistics--- 5packetstransmitted,time4007ms rttmin/avg/max/mdev=0.858/0.952/1.016/0.057ms PING192.168.1.4(192.168.1.4)56(84)bytesofdata. 64bytesfrom192.168.1.4:icmp_seq=1ttl=64time=0.823ms 64bytesfrom192.168.1.4:icmp_seq=2ttl=64time=0.918ms 64bytesfrom192.168.1.4:icmp_seq=3ttl=64time=1.02ms 64bytesfrom192.168.1.4:icmp_seq=4ttl=64time=0.807ms 64bytesfrom192.168.1.4:icmp_seq=5ttl=64time=1.01ms ---192.168.1.4pingstatistics--- 5packetstransmitted,time4005ms rttmin/avg/max/mdev=0.807/0.918/1.023/0.092ms Remotehostreachabilitychecksucceeded. Thefollowinghostsarereachable:192.168.1.3192.168.1.4. Thefollowinghostsarenotreachable:. Allhostsarereachable.Proceedingfurther... firsthost192.168.1.3 numhosts2 ThescriptwillsetupSSHconnectivityfromthehostlocalhost.localdomaintoall theremotehosts.Afterthescriptisexecuted,theuserwouldhavetospecifythepassphraSEOnoneadditionaloccasion. Enter'yes'or'no'. yes Theuserchoseyes Thefilescontainingtheclientpublicandprivatekeysalreadyexistonthelocalhost.Thecurrentprivatekeymayormaynothaveapassphraseassociatedwithit.Incaseyourememberthepassphraseanddonotwanttore-runssh-keygen,press'no'andenter.Ifyoupress'no',thescriptwillnotattempttocreateanynewpublic/privatekeypairs.Ifyoupress'yes',thescriptwillremovetheoldprivate/publickeyfilesexistingandcreatenewonespromptingtheusertoenterthepassphrase.Ifyouenter'yes',anyprevIoUsSSHusersetupswouldbereset.Ifyoupress'change',thescriptwillassociateanewpassphrasewiththeoldkeys. Press'yes','no'or'change' yes Theuserchoseyes Creating.sshdirectoryonlocalhost,itwouldbebackedupto/root/.ssh/config.backup. Removingoldprivate/publickeysonlocalhost RunningSSHkeygenonlocalhost Enterpassphrase(emptyfornopassphrase): Entersamepassphraseagain: Generatingpublic/privatersakeypair. Youridentificationhasbeensavedin/root/.ssh/id_rsa. Yourpublickeyhasbeensavedin/root/.ssh/id_rsa.pub. Thekeyfingerprintis: f5:fd:97:37:c6:83:50:a3:31:d0:f6:94:45:33:50:e8root@localhost.localdomain Thekey'srandomartimageis: +--[RSA1024]----+ |...B*| |.o+o| |oo+o| |..=E.| |So..| |.o..| |.*+| |.=| || +-----------------+ Creating.sshdirectoryandsettingpermissionsonremotehost192.168.1.3 THESCRIPTWOULDALSOBEREVOKINGWRITEPERMISSIONSFORgroupANDothersONTHEHOMEDIRECTORYFORroot.THISISANSSHREQUIREMENT. Thescriptwouldcreate~root/.ssh/configfileonremotehost192.168.1.3.Ifaconfigfileexistsalreadyat~root/.ssh/config,itwouldbebackedupto~root/.ssh/config.backup. TheusermaybepromptedforapasswordheresincethescriptwouldberunningSSHonhost192.168.1.4. Warning:Permanentlyadded'192.168.1.4'(RSA)tothelistofknownhosts. root@192.168.1.4'spassword: Donewithcreating.sshdirectoryandsettingpermissionsonremotehost192.168.1.4. Copyinglocalhostpublickeytotheremotehost192.168.1.3 TheusermaybepromptedforapasswordorpassphraseheresincethescriptwouldbeusingSCPforhost192.168.1.3. root@192.168.1.3'spassword: Donecopyinglocalhostpublickeytotheremotehost192.168.1.3 Copyinglocalhostpublickeytotheremotehost192.168.1.4 TheusermaybepromptedforapasswordorpassphraseheresincethescriptwouldbeusingSCPforhost192.168.1.4. root@192.168.1.4'spassword: Donecopyinglocalhostpublickeytotheremotehost192.168.1.4 Creatingkeysonremotehost192.168.1.3iftheydonotexistalready.ThisisrequiredtosetupSSHonhost192.168.1.3. Creatingkeysonremotehost192.168.1.4iftheydonotexistalready.ThisisrequiredtosetupSSHonhost192.168.1.4. Generatingpublic/privatersakeypair. Youridentificationhasbeensavedin.ssh/id_rsa. Yourpublickeyhasbeensavedin.ssh/id_rsa.pub. Thekeyfingerprintis: 88:b1:d4:49:1e:df:ea:f5:d6:c9:27:a4:a1:8b:6c:c4root@web Thekey'srandomartimageis: +--[RSA1024]----+ |o| |++.| |o+..| |.+..| |o..S...| |.E.o*.| |...+=.| |...oo| |.o.| +-----------------+ Updatingauthorized_keysfileonremotehost192.168.1.3 Updatingknown_hostsfileonremotehost192.168.1.3 ThescriptwillrunSSHontheremotemachine192.168.1.3.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. Updatingauthorized_keysfileonremotehost192.168.1.4 Updatingknown_hostsfileonremotehost192.168.1.4 ThescriptwillrunSSHontheremotemachine192.168.1.4.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. SSHsetupiscomplete. ------------------------------------------------------------------------ VerifyingSSHsetup =================== Thescriptwillnowrunthedatecommandontheremotenodesusingssh toverifyifsshissetupcorrectly.IFTHESETUPISCORRECTLYSETUP,ITMEANSSSHSETUPHASNOTBEENSUCCESSFUL.PleasenotethatbeingpromptedforapassphrasemaybeOKbutbeingpromptedforapasswordisERROR. ThescriptwillrunSSHontheremotemachine192.168.1.3.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. WedFeb2215:50:58CST2017 ------------------------------------------------------------------------ --192.168.1.4:-- Running/usr/bin/ssh-x-lroot192.168.1.4datetoverifySSHconnectivityhasbeensetupfromlocalhostto192.168.1.4. IFYOUSEEANYOTHEROUTPUTBESIDESTHEOUTPUTOFTHEDATECOMMANDORIFYOUAREPROMPTEDFORAPASSWORDHERE,ITMEANSSSHSETUPHASNOTBEENSUCCESSFUL.PleasenotethatbeingpromptedforapassphrasemaybeOKbutbeingpromptedforapasswordisERROR. ThescriptwillrunSSHontheremotemachine192.168.1.4.Theusermaybepromptedforapassphrasehereincasetheprivatekeyhasbeenencryptedwithapassphrase. WedFeb2215:53:48CST2017 ------------------------------------------------------------------------ ------------------------------------------------------------------------ VerifyingSSHconnectivityhasbeensetupfrom192.168.1.3to192.168.1.3 IFYOUSEEANYOTHEROUTPUTBESIDESTHEOUTPUTOFTHEDATECOMMANDORIFYOUAREPROMPTEDFORAPASSWORDHERE,ITMEANSSSHSETUPHASNOTBEENSUCCESSFUL. WedFeb2215:50:59CST2017 ------------------------------------------------------------------------ ------------------------------------------------------------------------ VerifyingSSHconnectivityhasbeensetupfrom192.168.1.3to192.168.1.4 IFYOUSEEANYOTHEROUTPUTBESIDESTHEOUTPUTOFTHEDATECOMMANDORIFYOUAREPROMPTEDFORAPASSWORDHERE,ITMEANSSSHSETUPHASNOTBEENSUCCESSFUL. WedFeb2215:53:49CST2017 ------------------------------------------------------------------------ -Verificationfromcomplete- SSHverificationcomplete.
1.3.1验证
1.3.1.1本机向远程主机SSH
[root@localhostsshsetup]#ifconfig eth0Linkencap:EthernetHWaddr08:00:27:5C:99:99 inetaddr:192.168.1.99Bcast:192.168.1.255Mask:255.255.255.0 [root@localhostsshsetup]#ssh192.168.1.4date WedFeb2215:54:37CST2017 [root@localhostsshsetup]#ssh192.168.1.3date WedFeb2215:51:51CST2017
1.3.1.2远程主机之间SSH互信
---主机192.168.1.4
[root@web~]#ifconfig eth0Linkencap:EthernetHWaddr40:8D:5C:E5:AD:08 inetaddr:192.168.1.4Bcast:192.168.1.255Mask:255.255.255. [root@web~]#ssh192.168.1.3date 2017年02月22日星期三15:52:32CST
--主机192.168.1.3
[root@dg2~]#ifconfig eth0Linkencap:EthernetHWaddr40:8D:5C:E4:69:4B inetaddr:192.168.1.3Bcast:192.168.1.255Mask:255.255.255.0 [root@dg2~]#ssh192.168.1.4date WedFeb2216:01:49CST2017
转载自:http://www.cndba.cn/Expect-le/article/1766
