SSH認証の設定(ユーザーの等価性)

Oracle RAC構成する時、全てのノードの間にOracleユーザーの等価性が要求されている。
下記の例で、ユーザー等価性の設定のサンプルとなる。

ノード1で公開鍵と秘密鍵を作成

/usr/bin/ssh-keygen –t rsa
/usr/bin/ssh-keygen –t dsa

ノード2で公開鍵と秘密鍵を作成

/usr/bin/ssh-keygen –t rsa
/usr/bin/ssh-keygen –t dsa

各ノードの公開鍵ファイル内容を連結(ノード1で実行)

[oracle@rac-node01 oracle]$ cat /home/oracle/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[oracle@rac-node01 oracle]$ cat /home/oracle/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
[oracle@rac-node01 oracle]$ ssh rac-node02 cat /home/oracle/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[oracle@rac-node01 oracle]$ ssh rac-node02 cat /home/oracle/.ssh/id_dsa >> ~/.ssh/authorized_keys
[oracle@rac-node01 oracle]$ scp /home/oracle/.ssh/authorized_keys rac-node02:/home/oracle/.ssh/

各ノードで構成のテスト

[oracle@rac-node01 oracle]$ ssh rac-node01 date
[oracle@rac-node01 oracle]$ ssh rac-node01-priv date
[oracle@rac-node01 oracle]$ ssh rac-node02 date
[oracle@rac-node01 oracle]$ ssh rac-node02-priv date

[oracle@rac-node02 oracle]$ ssh rac-node02 date
[oracle@rac-node02 oracle]$ ssh rac-node02-priv date
[oracle@rac-node02 oracle]$ ssh rac-node01 date
[oracle@rac-node02 oracle]$ ssh rac-node01-priv date
実際に検証
[oracle@rac-node01 oracle]$ /usr/bin/ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Created directory '/home/oracle/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
15:6b:b9:74:d0:1e:a6:8f:62:03:3a:7c:6a:6a:d2:35 oracle@rac-node01
[oracle@rac-node01 oracle]$ /usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
30:25:3c:5c:35:04:dd:bc:0c:95:fc:cc:a6:df:7c:88 oracle@rac-node01
[oracle@rac-node01 oracle]$

[oracle@rac-node02 oracle]$ /usr/bin/ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Created directory '/home/oracle/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
e3:ba:0a:60:de:53:cb:b2:b4:b7:7a:9e:55:d9:39:01 oracle@rac-node02
[oracle@rac-node02 oracle]$ /usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
41:12:98:d2:cd:54:a6:9d:af:f1:c3:0f:93:54:d8:b9 oracle@rac-node02
[oracle@rac-node02 oracle]$

[oracle@rac-node01 oracle]$ cat /home/oracle/.ssh/id_rsa.pub >> authorized_keys
[oracle@rac-node01 oracle]$ cat /home/oracle/.ssh/id_dsa.pub >> authorized_keys
[oracle@rac-node01 oracle]$ ssh rac-node02 cat /home/oracle/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
The authenticity of host 'rac-node02 (192.168.11.202)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node02,192.168.11.202' (RSA) to the list of known hosts.
oracle@rac-node02's password:
[oracle@rac-node01 oracle]$ ssh rac-node02 cat /home/oracle/.ssh/id_dsa >> ~/.ssh/authorized_keys
oracle@rac-node02's password:
[oracle@rac-node01 oracle]$
[oracle@rac-node01 oracle]$ scp /home/oracle/.ssh/authorized_keys rac-node02:/home/oracle/.ssh/
oracle@rac-node02's password:
authorized_keys                                                               100% 1729    11.6MB/s   00:00
[oracle@rac-node01 oracle]$
[oracle@rac-node01 oracle]$ ssh rac-node01 date
The authenticity of host 'rac-node01 (192.168.11.201)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node01,192.168.11.201' (RSA) to the list of known hosts.
Sun Feb 22 00:01:38 JST 2009
[oracle@rac-node01 oracle]$ ssh rac-node01 date
Sun Feb 22 00:01:45 JST 2009
[oracle@rac-node01 oracle]$ ssh rac-node01-priv date
The authenticity of host 'rac-node01-priv (172.168.11.201)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node01-priv,172.168.11.201' (RSA) to the list of known hosts.
Sun Feb 22 00:02:13 JST 2009
[oracle@rac-node01 oracle]$ ssh rac-node01-priv date
Sun Feb 22 00:02:15 JST 2009
[oracle@rac-node01 oracle]$ ssh rac-node01-vip date
ssh: connect to host rac-node01-vip port 22: No route to host
[oracle@rac-node01 oracle]$ ssh rac-node02 date
Sun Feb 22 00:02:49 JST 2009
[oracle@rac-node01 oracle]$ ssh rac-node02-priv date
The authenticity of host 'rac-node02-priv (172.168.11.202)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node02-priv,172.168.11.202' (RSA) to the list of known hosts.
Sun Feb 22 00:03:00 JST 2009
[oracle@rac-node01 oracle]$ ssh rac-node02-priv date
Sun Feb 22 00:03:02 JST 2009
[oracle@rac-node01 oracle]$

[oracle@rac-node02 oracle]$ ssh rac-node02 date
The authenticity of host 'rac-node02 (192.168.11.202)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node02,192.168.11.202' (RSA) to the list of known hosts.
Sun Feb 22 00:05:36 JST 2009
[oracle@rac-node02 oracle]$ ssh rac-node02 date
Sun Feb 22 00:05:40 JST 2009
[oracle@rac-node02 oracle]$ ssh rac-node02-priv date
The authenticity of host 'rac-node02-priv (172.168.11.202)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node02-priv,172.168.11.202' (RSA) to the list of known hosts.
Sun Feb 22 00:05:47 JST 2009
[oracle@rac-node02 oracle]$ ssh rac-node02-priv date
Sun Feb 22 00:05:48 JST 2009
[oracle@rac-node02 oracle]$ ssh rac-node01-priv date
The authenticity of host 'rac-node01-priv (172.168.11.201)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node01-priv,172.168.11.201' (RSA) to the list of known hosts.
Sun Feb 22 00:05:55 JST 2009
[oracle@rac-node02 oracle]$ ssh rac-node01 date
The authenticity of host 'rac-node01 (192.168.11.201)' can't be established.
RSA key fingerprint is 6d:64:85:47:c3:6f:b3:c8:a6:87:58:28:d4:a1:df:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac-node01,192.168.11.201' (RSA) to the list of known hosts.
Sun Feb 22 00:06:01 JST 2009
[oracle@rac-node02 oracle]$ ssh rac-node01 date
Sun Feb 22 00:06:07 JST 2009
[oracle@rac-node02 oracle]$
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License