10gRAC建立两节点互信（SSH）

节点一配置秘钥过程：


[oracle@rac1 ~]$  mkdir ~/.ssh
[oracle@rac1 ~]$ chmod 755 ~/.ssh
[oracle@rac1 ~]$  /usr/bin/ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
01:d2:0d:13:8f:b4:7e:99:41:1c:7b:28:9a:53:39:88oracle@rac1

节点二配置秘钥过程：
[oracle@rac2 ~]$ source .bash_profile
[oracle@rac2 ~]$  mkdir ~/.ssh
[oracle@rac2 ~]$ chmod 755 ~/.ssh
[oracle@rac2 ~]$  /usr/bin/ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/home/oracle/.ssh/id_rsa.
Your public key has been saved in/home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
9f:b9:10:2d:18:85:4d:f9:18:ca:9d:8e:b1:85:64:05oracle@rac2

配置节点之间互信

从11g的clusterware压缩包中解压出节点互信脚本:
 
传送到两个节点：
scp sshUserSetup.sh 192.168.1.65:/u01/
执行过程：
[oracle@rac1 u01]$  ./sshUserSetup.sh -user oracle -hosts rac2 rac1 -advanced -exverify -confirm
- host 后面跟的为rac节点，顺序为先写对方节点再写自己的节点。
The output of this script is also logged into /tmp/sshUserSetup_2017-01-16-11-34-02.log
Hosts are rac2
user is oracle
Platform:- Linux 
Checking if the remote hosts are reachable
PING rac2 (192.168.1.66) 56(84) bytes of data.
64 bytes from rac2 (192.168.1.66): icmp_seq=1 ttl=64 time=2.87 ms
64 bytes from rac2 (192.168.1.66): icmp_seq=2 ttl=64 time=0.845 ms
64 bytes from rac2 (192.168.1.66): icmp_seq=3 ttl=64 time=1.01 ms
64 bytes from rac2 (192.168.1.66): icmp_seq=4 ttl=64 time=1.06 ms
64 bytes from rac2 (192.168.1.66): icmp_seq=5 ttl=64 time=1.15 ms
（这里显示证明两个节点直接可以通讯）
--- rac2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.845/1.389/2.872/0.748 ms
Remote host reachability check succeeded.
The following hosts are reachable: rac2.
The following hosts are not reachable: .
All hosts are reachable. Proceeding further...
firsthost rac2
numhosts 1
The script will setup SSH connectivity from the host rac1 to all
the remote hosts. After the script is executed, the user can use SSH to run
commands on the remote hosts or copy files between this host rac1
and the remote hosts without being prompted for passwords or confirmations.


NOTE 1:
As part of the setup procedure, this script will use ssh and scp to copy
files between the local host and the remote hosts. Since the script does not
store passwords, you may be prompted for the passwords during the execution of
the script whenever ssh or scp is invoked.


NOTE 2:
AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE
directories.


Do you want to continue and let the script make the above mentioned changes (yes/no)?
Confirmation provided on the command line


The user chose yes
Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. 
The estimated number of times the user would be prompted for a passphrase is 2. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion. 
Enter 'yes' or 'no'.  
这里如果选择“yes”的话，会让你创建密码，这样，在以后每次进行ssh通讯的时候都要执行密码，那配置的意义也就不存在了。
（请指定是否要为此脚本为本地主机创建的私钥指定密码。 密码用于加密私钥，使SSH更安全。 键入“yes”或“no”，然后按Enter键。 如果你按“是”，你将需要在脚本执行ssh或scp时输入密码。
用户将被提示输入密码短语的估计次数是2.此外，如果私人 - 公共文件也是新创建的，用户将必须在一个附加场合指定密码短语。
输入“是”或“否”。）
no


The user chose no
The files containing the client public and private keys already exist on the local host. The current private key may have a passphrase associated with it. In case you find using passphrase inconvenient(although it is more secure), you can change to it empty through this script. Press 'change' if you want the script to change the passphrase for you. Press 'no' if you want to use your old passphrase, if you had one.
如果你修改了密码，就确认选择“yes”，这里应该都可以。
yes
The user chose yes
Creating .ssh directory on local host, if not present already
Creating authorized_keys file on local host
Changing permissions on authorized_keys to 644 on local host
Creating known_hosts file on local host
Changing permissions on known_hosts to 644 on local host
Creating config file on local host
If a config file exists already at /home/oracle/.ssh/config, it would be backed up to /home/oracle/.ssh/config.backup.
Removing old private/public keys on local host
Running SSH keygen on local host
Enter passphrase (empty for no passphrase): 回车
Enter same passphrase again: 回车
Generating public/private rsa key pair.
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
b7:61:9d:9c:ee:07:dc:fb:36:2b:62:65:cf:bf:c9:73 oracle@rac1
Creating .ssh directory and setting permissions on remote host rac2
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oracle. THIS IS AN SSH REQUIREMENT.
The script would create ~oracle/.ssh/config file on remote host rac2. If a config file exists already at ~oracle/.ssh/config, it would be backed up to ~oracle/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac2.
Warning: Permanently added 'rac2,192.168.1.66' (RSA) to the list of known hosts.
oracle@rac2's password: （输入rac2的密码）
Done with creating .ssh directory and setting permissions on remote host rac2.
Copying local host public key to the remote host rac2
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac2.
oracle@rac2's password: （再次输入rac2的密码）
Done copying local host public key to the remote host rac2
Creating keys on remote host rac2 if they do not exist already. This is required to setup SSH on host rac2.


Updating authorized_keys file on remote host rac2
Updating known_hosts file on remote host rac2
SSH setup is complete.


------------------------------------------------------------------------
Verifying SSH setup
===================
The script will now run the date command on the remote nodes using ssh
to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,
THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR
PASSWORDS. If you see any output other than date or are prompted for the
password, ssh is not setup correctly and you will need to resolve the
issue and set up ssh again.
The possible causes for failure could be:
1. The server settings in /etc/ssh/sshd_config file do not allow ssh
for user oracle.
2. The server may have disabled public key based authentication.
3. The client public key on the server may be outdated.
4. ~oracle or ~oracle/.ssh on the remote host may not be owned by oracle.
5. User may not have passed -shared option for shared remote users or
may be passing the -shared option for non-shared remote users.
6. If there is output in addition to the date, but no password is asked,
it may be a security alert shown as part of company policy. Append the
additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.
------------------------------------------------------------------------
--rac2:--
Running /usr/bin/ssh -x -l oracle rac2 date to verify SSH connectivity has been setup from local host to rac2.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Mon Jan 16 11:36:30 CST 2017
------------------------------------------------------------------------
------------------------------------------------------------------------
Verifying SSH connectivity has been setup from rac2 to rac2
------------------------------------------------------------------------
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.
Mon Jan 16 11:36:30 CST 2017
------------------------------------------------------------------------
-Verification from rac2 complete-
SSH verification complete.
SSH配置成功

原来的方法：

在安装 Oracle RAC 10g 期间，OUI 需要把文件复制到集群中的其他主机上并在其上执行程序。 为了允许 OUI 完成此任务，必须配置 SSH 以启用用户等效性。 用 SSH 建立用户等效性就提供了一种在集群中其他主机上复制文件和执行程序时不需要口令提示的安全方式。

第一步是生成 SSH 的公共密钥和专用密钥。 SSH 协议有两个版本；版本 1 使用 RSA，版本 2 使用 DSA，因此我们将创建这两种类型的密钥，以确保 SSH 能够使用任一版本。 ssh-keygen 程序将根据传递给它的参数生成任一类型的公共密钥和专用密钥。

当您运行 ssh-keygen 时，将提示您输入一个用于保存密钥的位置。 当提示时只需按 Enter 接受默认值。 随后将提示您输入一个口令短语。 输入您能记住的口令，然后再次输入该口令进行确认。 当您完成以下步骤后，在 ~/.ssh 目录中将会有四个文件： id_rsa、id_rsa.pub、id_dsa 和 id_dsa.pub。 id_rsa 和 id_dsa 文件是您的专用密钥，千万不要告诉任何人。 id_rsa.pub 和 id_dsa.pub 文件是您的公共密钥，必须将其复制到集群中其他每个主机上。

在每个主机上，以 oracle用户身份登录：

$ mkdir~/.ssh

$ chmod755 ~/.ssh

$/usr/bin/ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/oracle/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/oracle/.ssh/id_rsa.

Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.

The key fingerprint is:

4b:df:76:77:72:ba:31:cd:c4:e2:0c:e6:ef:30:fc:37 oracle@ds1.orademo.org

注意：本例中此处一路按回车选择默认

$/usr/bin/ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/oracle/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/oracle/.ssh/id_dsa.

Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.

The key fingerprint is:

af:37:ca:69:3c:a0:08:97:cb:9c:0b:b0:20:70:e3:4a oracle@ds1.orademo.org

注意：本例中此处一路按回车选择默认

 

现在，必须将每个主机上的公共密钥文件 id_rsa.pub 和 id_dsa.pub 的内容复制到其他每个主机的 ~/.ssh/authorized_keys 文件中。 使用 ssh 将每个文件的内容复制到 ~/.ssh/authorized_keys 文件。 请注意，当您使用 ssh 第一次访问远程主机时，其 RSA 密钥将是未知的，从而将提示您确认是否希望连接该主机。 SSH 将记录该远程主机的 RSA 密钥，并在以后连接该主机时不再做出相关提示。

只需在第一个主机上，以 oracle 用户身份登录（复制本地帐户的密钥，以便连接本地主机的 ssh 能够起作用）：

 

（如果您要剪切和粘贴这些命令，则分别运行它们。 SSH 每次会提示输入 oracle 的口令，如果同时粘贴这些命令，则第一个命令在提示输入口令之前刷新输入缓冲区，从而导致其他命令将会丢失。）

$ cat~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

$ cat~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

$ ssh oracle@dbrac2cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

The authenticity ofhost 'dbrac2 (10.49.9.100)' can't beestablished.

RSA key fingerprint isd1:23:a7:df:c5:fc:4e:10:d2:83:60:49:25:e8:eb:11.

Are you sure you wantto continue connecting (yes/no)? yes

Warning: Permanentlyadded 'dbrac2,10.49.9.100' (RSA) to the listof known hosts.

oracle@dbrac2'spassword:

$ ssh oracle@dbrac2cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

oracle@dbrac2'spassword:

$ chmod 644~/.ssh/authorized_keys

要对第二个主机做同样的处理。请注意，这次有的SSH不会提示您输入oracle的口令。这是因为第一个主机(dbrac1)现在知道了第二个主机的公共密钥，而SSH现在使用的是一种不同的认证协议。

 

建立用户等效性

如果一切均设置正确，则您现在就可以使用 ssh 在其他集群主机上不必输入口令而登录、执行程序和复制文件了。 通过在远程集群主机上运行诸如 date 等简单命令来验证用户等效性：

$ssh dbrac2 date

Sun Jun 27 19:07:19CDT 2004

测试每个方向上所有服务器的连通性是非常重要的。这样会确保当 OUI 在 CRS 和数据库软件安装期间试图复制文件时不会出现类似以下的消息。 该消息只有在远程节点上第一次执行操作时才会出现，因此通过测试连通性，您不仅确保了远程操作的正常运行，还完成了初始的安全密钥交换。

The authenticity ofhost 'dbrac2 (10.49.9.100)' can't beestablished.

RSA key fingerprint is8f:a3:19:76:ca:4f:71:85:42:c2:7a:da:eb:53:76:85.

Are you sure you wantto continue connecting (yes/no)? yes

注意: 以上步骤执行完以后，需要执行和本机建立等效性，否则安装CRS时也会出错，在每个节点上分别执行：

$ ssh hostname

(此处hostname分别为dbrac1、dbrac2)