Monday, November 24, 2008

How to Setup SSH

On Primary Node: (Machine 1) Example: primary.oracle.com

    • Log in as oracle
    • Generate the ssh key by issuing the following command:

ssh-keygen -t rsa (then press enter 3 times)

$ ssh-keygen -t rsa

Generating public/private rsa key pair.

    • Press the Enter key three times.

Enter file in which to save the key (/home/oracle/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/oracle/.ssh/id_rsa.

Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.

The key fingerprint is:

5a:58:7e:65:ae:71:1a:82:2c:95:98:5b:48:b3:52:ac oracle@primary.oracle.com

    • CD into the .ssh directory, which is located under the home directory. Note that a file called id_rsa.pub is created.

$ ls -lrt $HOME/.ssh/

total 24

-rw-r--r-- 1 oracle dba 948 Mar 3 10:57 known_hosts

-rw-r--r-- 1 oracle dba 240 Mar 4 10:15 id_rsa.pub

-rw------- 1 oracle dba 887 Mar 4 10:15 id_rsa

    • Update authorized_keys file to enable ssh ‘loopback’


$ cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

    • Use SCP to copy id_rsa.pub to the /tmp directory of the Remote Nodes.

$ scp $HOME/.ssh/id_rsa.pub oracle@stdby.oracle.com:/tmp

oracle@stdby.oracle.com's password:

id_rsa.pub 100% 240 0.2KB/s 00:00

On the Remote Node(s): Example: stdby.oracle.com

    • Login as the oracle user
    • Remove specialized .login, .profile or similar files which cause extra verbiage to be displayed to the screen.
    • Create a directory called .ssh in the home directory

$ mkdir $HOME/.ssh

mkdir: cannot create directory `/home/oracle/.ssh': File exists

    • Copy the content of /tmp/id_rsa.pub (copied from the Primary Node) into a new file named authorized_keys. (If you already have a file called authorized_keys in this directory, open it in vi, go to the bottom of the file, add one blank line and then copy and paste the contents of the file /tmp/id_rsa.pub into the existing file and save it.)

$ cat /tmp/id_rsa.pub >> $HOME/.ssh/authorized_keys

    • Verify that the .ssh directory permission is set to 700

$ chmod 700 $HOME/.ssh

    • Verify that the authorized_keys file permission is set to 600

$ chmod 600 $HOME/.ssh/authorized_keys

    • Verify that the $HOME directory does not have write permissions for group and others.

$ chmod go-w $HOME

    • Ensure that the ssh daemon is running

$ ps -ef |grep -i ssh

root 2418 22004 0 10:25 ? 00:00:00 sshd: oracle [priv]

oracle 2420 2418 0 10:25 ? 00:00:00 sshd: oracle@pts/1

oracle 2690 2421 0 10:37 pts/1 00:00:00 grep -i ssh

root 22004 1 0 Feb29 ? 00:00:00 /usr/sbin/sshd

Test the installation:

    • Login to the PrimaryNode as oracle user.
    • Execute the following command, replacing [user] with the username on the Remote Node, and [SERVER] with the host name of the Remote Node:

ssh -l [user] [SERVER]

$ uname -n

primary.oracle.com

$ ssh -l oracle primary (connect to same machine)

Last login: Tue Mar 4 10:41:52 2008 from primary.oracle.com

$ uname -n

primary.oracle.com

    • When prompted to confirm the identity, respond "Yes".
    • Disconnect from the server.

$ exit

Connection to stdby closed

$ ssh -l oracle stdby (connect to machine 2)

Last login: Tue Mar 4 10:41:52 2008 from primary.oracle.com

$ uname -n

stdby.oracle.com

    • When prompted to confirm the identity, respond "Yes".
    • Disconnect from the server.

$ exit

Connection to stdby closed

    • Execute the following commands:

$ uname -n

primary.oracle.com

$ ssh oracle@stdby uname -n

stdby.oracle.com

The remote hostname should appear, followed by the prompt, and you should not be asked to enter and ID or password. If you are prompted for a password, verify the following:

      • The content of the authorized_keys file contains the content of id_rsa.pub of the client
      • The permissions of the authorized_keys file are set to 600.
      • The permissions of the .ssh directory are set to 700.

The permissions of the $HOME directory do not include execute for group and other.

Now repeat the steps again as follows (to enable SSH in the opposite direction)

On Remote Node: (machine 2)

    • Log in as oracle
    • Generate the ssh key by issuing the following command:

ssh-keygen -t rsa (then press enter 3 times)

$ ssh-keygen -t rsa

Generating public/private rsa key pair.

    • Press the Enter key three times.

Enter file in which to save the key (/home/oracle/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/oracle/.ssh/id_rsa.

Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.

The key fingerprint is:

6c:7d:4c:5c:21:9d:d6:8e:1f:6d:9c:52:2f:88:1c:3d oracle@stdby.oracle.com

    • CD into the .ssh directory, which is located under the home directory. Note that a file called id_rsa.pub is created.

$ ls -lrt $HOME/.ssh/

-rw-r--r-- 1 oracle dba 703 Feb 18 09:54 known_hosts

-rw-r--r-- 1 oracle dba 240 Mar 4 10:32 authorized_keys

-rw-r--r-- 1 oracle dba 240 Mar 4 10:49 id_rsa.pub

-rw------- 1 oracle dba 887 Mar 4 10:49 id_rsa

    • Update authorized_keys file to enable ssh ‘loopback’

$ cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

    • Use SCP to copy id_rsa.pub to the /tmp directory of the Remote Nodes.

$ scp $HOME/.ssh/id_rsa.pub oracle@primary.oracle.com:/tmp

oracle@primary.oracle.com's password:

id_rsa.pub 100% 240 0.2KB/s 00:00

On the Primary Node: (Machine 1)

    • Login as the oracle user
    • Copy the content of /tmp/id_rsa.pub (copied from the Primary Node) into file named authorized_keys

$ cat /tmp/id_rsa.pub >> $HOME/.ssh/authorized_keys

    • Verify that the .ssh directory permission is set to 700

$ chmod 700 $HOME/.ssh

    • Verify that the authorized_keys file permission is set to 600

$ chmod 600 $HOME/.ssh/authorized_keys

    • Verify that the $HOME directory does not have write permissions for group and others.

$ chmod go-w $HOME

    • Ensure that the ssh daemon is running

$ ps -ef |grep -i ssh

root 2418 22004 0 10:25 ? 00:00:00 sshd: oracle [priv]

oracle 2420 2418 0 10:25 ? 00:00:00 sshd: oracle@pts/1

oracle 2690 2421 0 10:37 pts/1 00:00:00 grep -i ssh

root 22004 1 0 Feb29 ? 00:00:00 /usr/sbin/sshd

Test the installation:

    • Login to the Remote Node as oracle user (Machine 2).
    • Execute the following command, replacing [user] with the username on the Remote Node, and [SERVER] with the host name of the Remote Node:

ssh -l [user] [SERVER]

$ uname -n

stdby.oracle.com

$ ssh -l oracle stdby (connect to same machine)

Last login: Tue Mar 4 10:41:52 2008 from stdby.oracle.com

$ uname -n

stdby.oracle.com

$ exit

Connection to stdby closed

$ ssh -l oracle primary (connect to machine 1)

Last login: Tue Mar 4 10:41:52 2008 from stdby.oracle.com

$ uname -n

primary.oracle.com

    • When prompted to confirm the identity, respond "Yes".
    • Disconnect from the server.

$ exit

Connection to primary closed

    • Execute the following commands:

$ uname -n

stdby.oracle.com

$ ssh oracle@primary uname -n

primary.oracle.com

The remote hostname should appear, followed by the prompt, and you should not be asked to enter and ID or password. If you are prompted for a password, verify the following:

      • The content of the authorized_keys file contains the content of id_rsa.pub of the client
      • The permissions of the authorized_keys file are set to 600.
      • The permissions of the .ssh directory are set to 700.
      • The permissions of the $HOME directory do not include execute for group and other.


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)