在运维工作中,经常需要配置互信(免密登录),在这里就不介绍互信的原理了,如果需要配置的节点数不是很多(2个以内),完全可以手动配置。如果数量很多的话,我们就需要自动配置了。
在这里,用于配置机器之间的SSH互信脚本是(sshUserSetup.sh),它存在在于Oracle的GRID安装包,或者是DB安装包里。
配置SSH
用法如下:
sshUserSetup.sh -user <user name> [ -hosts /"<space separated hostlist>/" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ] [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase]
例如:
sshUserSetup.sh -hosts "host1 host2" -user holmes -advanced
-hosts 表示:需要配置互信的服务器ip
-user 表示:用于远程登录到服务器上的用户名
-advanced 表示:hosts里的主机,每两个主机之间都是互信的。如果不加-advanced,例如:本机是HOST-A
在本机执行./sshUserSetup.sh -user aime -hosts A B C。那么就是HOST-A->A, HOST-A->B, HOST-A->C 的互信关系。A,B,C之间是不互信的。
举例说明
现在有3台服务器,两两之间holmes用户都要配置互信,3台机器的IP地址及主机名对应关系如下:
192.168.161.180 vmmaster
192.168.161.181 vmslave1
192.168.161.182 vmslave2
执行命令:
[root@vmmaster ~]# ./sshUserSetup.sh -user holmes -hosts "vmmaster vmslave1 vmslave2" -advanced -noPromptPassphrase
The output of this script is also logged into /tmp/sshUserSetup_2020-08-15-14-39-05.log
Hosts are vmmaster vmslave1 vmslave2
user is holmes
Platform:- Linux
Checking if the remote hosts are reachable
PING vmmaster (192.168.161.180) 56(84) bytes of data.
64 bytes from vmmaster (192.168.161.180): icmp_seq=1 ttl=64 time=0.012 ms
64 bytes from vmmaster (192.168.161.180): icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from vmmaster (192.168.161.180): icmp_seq=3 ttl=64 time=0.057 ms
64 bytes from vmmaster (192.168.161.180): icmp_seq=4 ttl=64 time=0.057 ms
64 bytes from vmmaster (192.168.161.180): icmp_seq=5 ttl=64 time=0.055 ms
--- vmmaster ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.012/0.040/0.057/0.020 ms
PING vmslave1 (192.168.161.181) 56(84) bytes of data.
64 bytes from vmslave1 (192.168.161.181): icmp_seq=1 ttl=64 time=0.595 ms
64 bytes from vmslave1 (192.168.161.181): icmp_seq=2 ttl=64 time=0.306 ms
64 bytes from vmslave1 (192.168.161.181): icmp_seq=3 ttl=64 time=0.835 ms
64 bytes from vmslave1 (192.168.161.181): icmp_seq=4 ttl=64 time=0.847 ms
64 bytes from vmslave1 (192.168.161.181): icmp_seq=5 ttl=64 time=0.778 ms
--- vmslave1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.306/0.672/0.847/0.204 ms
PING vmslave2 (192.168.161.182) 56(84) bytes of data.
64 bytes from vmslave2 (192.168.161.182): icmp_seq=1 ttl=64 time=0.460 ms
64 bytes from vmslave2 (192.168.161.182): icmp_seq=2 ttl=64 time=0.892 ms
64 bytes from vmslave2 (192.168.161.182): icmp_seq=3 ttl=64 time=0.818 ms
64 bytes from vmslave2 (192.168.161.182): icmp_seq=4 ttl=64 time=0.795 ms
64 bytes from vmslave2 (192.168.161.182): icmp_seq=5 ttl=64 time=0.850 ms
--- vmslave2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.460/0.763/0.892/0.154 ms
Remote host reachability check succeeded.
The following hosts are reachable: vmmaster vmslave1 vmslave2.
The following hosts are not reachable: .
All hosts are reachable. Proceeding further...
firsthost vmmaster
numhosts 3
The script will setup SSH connectivity from the host vmmaster to all
the remote hosts. After the script is executed, the user can use SSH to run
commands on the remote hosts or copy files between this host vmmaster
and the remote hosts without being prompted for passwords or confirmations.
NOTE 1:
As part of the setup procedure, this script will use ssh and scp to copy
files between the local host and the remote hosts. Since the script does not
store passwords, you may be prompted for the passwords during the execution of
the script whenever ssh or scp is invoked.
NOTE 2:
AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE
directories.
Do you want to continue and let the script make the above mentioned changes (yes/no)?
yes
The user chose yes
User chose to skip passphrase related questions.
Creating .ssh directory on local host, if not present already
Creating authorized_keys file on local host
Changing permissions on authorized_keys to 644 on local host
Creating known_hosts file on local host
Changing permissions on known_hosts to 644 on local host
Creating config file on local host
If a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup.
Creating .ssh directory and setting permissions on remote host vmmaster
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR holmes. THIS IS AN SSH REQUIREMENT.
The script would create ~holmes/.ssh/config file on remote host vmmaster. If a config file exists already at ~holmes/.ssh/config, it would be backed up to ~holmes/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host vmmaster.
Warning: Permanently added 'vmmaster,192.168.161.180' (ECDSA) to the list of known hosts.
holmes@vmmaster's password:
Done with creating .ssh directory and setting permissions on remote host vmmaster.
Creating .ssh directory and setting permissions on remote host vmslave1
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR holmes. THIS IS AN SSH REQUIREMENT.
The script would create ~holmes/.ssh/config file on remote host vmslave1. If a config file exists already at ~holmes/.ssh/config, it would be backed up to ~holmes/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host vmslave1.
Warning: Permanently added 'vmslave1,192.168.161.181' (ECDSA) to the list of known hosts.
holmes@vmslave1's password:
Done with creating .ssh directory and setting permissions on remote host vmslave1.
Creating .ssh directory and setting permissions on remote host vmslave2
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR holmes. THIS IS AN SSH REQUIREMENT.
The script would create ~holmes/.ssh/config file on remote host vmslave2. If a config file exists already at ~holmes/.ssh/config, it would be backed up to ~holmes/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host vmslave2.
Warning: Permanently added 'vmslave2,192.168.161.182' (ECDSA) to the list of known hosts.
holmes@vmslave2's password:
Done with creating .ssh directory and setting permissions on remote host vmslave2.
Copying local host public key to the remote host vmmaster
The user may be prompted for a password or passphrase here since the script would be using SCP for host vmmaster.
holmes@vmmaster's password:
Done copying local host public key to the remote host vmmaster
Copying local host public key to the remote host vmslave1
The user may be prompted for a password or passphrase here since the script would be using SCP for host vmslave1.
holmes@vmslave1's password:
Done copying local host public key to the remote host vmslave1
Copying local host public key to the remote host vmslave2
The user may be prompted for a password or passphrase here since the script would be using SCP for host vmslave2.
holmes@vmslave2's password:
Done copying local host public key to the remote host vmslave2
Creating keys on remote host vmmaster if they do not exist already. This is required to setup SSH on host vmmaster.
Generating public/private rsa key pair.
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
SHA256:y9n9bhQGa2C1Af/YWzgHKSFgaYscQOd0iUll8lPOn6k holmes@vmmaster
The key's randomart image is:
+---[RSA 1024]----+
| .oo=+*++o+ |
| ++*++oo.+ . |
| ..+ooo.+oo |
| o .. .oBoo |
| S .=.=.o|
| . + o .= |
| + E ... |
| .. |
| oo |
+----[SHA256]-----+
Creating keys on remote host vmslave1 if they do not exist already. This is required to setup SSH on host vmslave1.
Generating public/private rsa key pair.
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
SHA256:03TGU5ZZj8MuJEtze/AFyNID3ywnrwn8k0FY/W6tExg holmes@vmslave1
The key's randomart image is:
+---[RSA 1024]----+
| .+.o++.|
| .==*+o.|
| *.&.B.o|
| = XE@ o.|
| S = +o=..|
| . o.B. +|
| * + |
| .o |
| . |
+----[SHA256]-----+
Creating keys on remote host vmslave2 if they do not exist already. This is required to setup SSH on host vmslave2.
Generating public/private rsa key pair.
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
SHA256:khP6Y7VrvNiH64AlnVLXuViUqvUpCL723AomfMct950 holmes@vmslave2
The key's randomart image is:
+---[RSA 1024]----+
| .. |
| o.. |
| o ..+ |
| .+ =oo . |
| .+.B+S... |
| . .Bo=..o |
| o =.O.+o |
| +o= O+o.. . |
| . .=+B+. E |
+----[SHA256]-----+
Updating authorized_keys file on remote host vmmaster
Updating known_hosts file on remote host vmmaster
Updating authorized_keys file on remote host vmslave1
Updating known_hosts file on remote host vmslave1
Updating authorized_keys file on remote host vmslave2
Updating known_hosts file on remote host vmslave2
SSH setup is complete.
------------------------------------------------------------------------
Verifying SSH setup
===================
The script will now run the date command on the remote nodes using ssh
to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,
THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR
PASSWORDS. If you see any output other than date or are prompted for the
password, ssh is not setup correctly and you will need to resolve the
issue and set up ssh again.
The possible causes for failure could be:
1. The server settings in /etc/ssh/sshd_config file do not allow ssh
for user holmes.
2. The server may have disabled public key based authentication.
3. The client public key on the server may be outdated.
4. ~holmes or ~holmes/.ssh on the remote host may not be owned by holmes.
5. User may not have passed -shared option for shared remote users or
may be passing the -shared option for non-shared remote users.
6. If there is output in addition to the date, but no password is asked,
it may be a security alert shown as part of company policy. Append the
additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.
------------------------------------------------------------------------
--vmmaster:--
Running /usr/bin/ssh -x -l holmes vmmaster date to verify SSH connectivity has been setup from local host to vmmaster.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Sat Aug 15 14:39:43 CST 2020
------------------------------------------------------------------------
--vmslave1:--
Running /usr/bin/ssh -x -l holmes vmslave1 date to verify SSH connectivity has been setup from local host to vmslave1.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Sat Aug 15 14:39:44 CST 2020
------------------------------------------------------------------------
--vmslave2:--
Running /usr/bin/ssh -x -l holmes vmslave2 date to verify SSH connectivity has been setup from local host to vmslave2.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Sun Aug 16 14:39:42 CST 2020
------------------------------------------------------------------------
------------------------------------------------------------------------
Verifying SSH connectivity has been setup from vmmaster to vmmaster
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
Bad owner or permissions on /home/holmes/.ssh/config
------------------------------------------------------------------------
------------------------------------------------------------------------
Verifying SSH connectivity has been setup from vmmaster to vmslave1
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
Bad owner or permissions on /home/holmes/.ssh/config
------------------------------------------------------------------------
------------------------------------------------------------------------
Verifying SSH connectivity has been setup from vmmaster to vmslave2
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
Bad owner or permissions on /home/holmes/.ssh/config
------------------------------------------------------------------------
-Verification from complete-
SSH verification complete.
[root@vmmaster ~]#
验证
在节点vmmaster上
[holmes@vmmaster .ssh]$ ssh vmslave1 date
Sat Aug 15 14:48:59 CST 2020
[holmes@vmmaster .ssh]$ ssh vmslave2 date
Sun Aug 16 14:49:02 CST 2020
[holmes@vmmaster .ssh]$
在节点vmslave1上
[holmes@vmslave1 .ssh]$ ssh vmmaster date
Sat Aug 15 14:48:19 CST 2020
[holmes@vmslave1 .ssh]$ ssh vmslave2 date
Sun Aug 16 14:48:26 CST 2020
[holmes@vmslave1 .ssh]$
在节点vmslave2上
[holmes@vmslave2 .ssh]$ ssh vmmaster date
Sat Aug 15 14:49:36 CST 2020
[holmes@vmslave2 .ssh]$ ssh vmslave1 date
Sat Aug 15 14:49:44 CST 2020
[holmes@vmslave2 .ssh]$
3台机子全部验证成功
验证出错的故障处理
如果在验证过程中如果出现 Bad owner or permissions on 错误时
[holmes@vmmaster ~]$ ssh vmslave1
Bad owner or permissions on /home/holmes/.ssh/config
执行以下语句即可(不需重配)
[holmes@vmmaster .ssh]$ chmod -R 600 config