Friday, 26 July 2013

User Equivalence (Key-Based Authentication) Configuration on Linux

This article describes two methods for configuring user equivalence on Linux.
Installation
The SSH service should already be installed, but if it is not, install it from a Yum repository using the following command.
# yum install openssh-server
Turn on the SSH service and make sure it starts automatically on reboot.
# service sshd start
# chkconfig sshd on
The SSH service is configured using the "/etc/ssh/sshd_config" file. Configuration changes have to be followed by a restart of the service.
# service sshd restart
# # or
# service sshd reload
Firewall
The server must have the TCP port 22 open. This can be achieved by adding the following entry to the type of firewall script described here.
# Open port for NTP server.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
SELinux
If you are using SELinux, you will need to consider the following points.
The SELinux booleans associated with the SSH service are displayed using the getsebool command.
# getsebool -a | grep ssh
allow_ssh_keysign --> off
fenced_can_ssh --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
#
The setsebool command is used to set a specific boolean value.
# setsebool ssh_sysadm_login on
# setsebool ssh_sysadm_login off
More information on SELinux can be found here.
Manual User Equivalence (Key-Based Authentication) Configuration
Assuming we have a two node cluster (rac1.localdomain, rac2.localdomain), log in as the "oracle" user and perform the following tasks on each node.
su - oracle
mkdir ~/.ssh
chmod 700 ~/.ssh
/usr/bin/ssh-keygen -t rsa # Accept the default settings.
The RSA public key is written to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file.
Log in as the "oracle" user on rac1.localdomain, generate an "authorized_keys" file and copy it to rac2.localdomainusing the following commands.
su - oracle
cd ~/.ssh
cat id_rsa.pub >> authorized_keys
scp authorized_keys rac2.localdomain:/home/oracle/.ssh/
Next, log in as the "oracle" user on rac2.localdomain and perform the following commands.
su - oracle
cd ~/.ssh
cat id_rsa.pub >> authorized_keys
scp authorized_keys rac1.localdomain:/home/oracle/.ssh/
The "authorized_keys" file on both servers now contains the public keys generated on all nodes.
To enable SSH user equivalency on the cluster member nodes issue the following commands on each node.
ssh rac1 date
ssh rac2 date
ssh rac1.localdomain date
ssh rac2.localdomain date
exec /usr/bin/ssh-agent $SHELL
/usr/bin/ssh-add
You should now be able to SSH and SCP between servers without entering passwords.
sshUserSetup.sh (Oracle Method)
The Oracle 11gR2 grid and database media includes a "sshsetup" directory containing a "sshUserSetup.sh" file. Running this file with no parameter shows the usage information.
$ cd /path/to/grid/media/sshsetup
$ ./sshUserSetup.sh
Please specify a valid and existing cluster configuration file.
Either user name or host information is missing
Usage ./sshUserSetup.sh -user <user name> [ -hosts "<space separated hostlist>" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ]  [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase]
$
If we pass in the basic parameters it will configure user equivalence for us.
$ ./sshUserSetup.sh -user oracle -hosts "rac1 rac2" -noPromptPassphrase
The output of this script is also logged into /tmp/sshUserSetup_2011-10-01-20-01-06.log
Hosts are rac1 rac2
user is oracle
Platform:- Linux
Checking if the remote hosts are reachable
PING rac1.localdomain (192.168.0.101) 56(84) bytes of data.
64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=1 ttl=64 time=0.018 ms
64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=2 ttl=64 time=0.017 ms
64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=3 ttl=64 time=0.017 ms
64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=4 ttl=64 time=0.019 ms
64 bytes from rac1.localdomain (192.168.0.101): icmp_seq=5 ttl=64 time=0.018 ms

--- rac1.localdomain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.017/0.017/0.019/0.004 ms
PING rac2.localdomain (192.168.0.102) 56(84) bytes of data.
64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=1 ttl=64 time=0.110 ms
64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=2 ttl=64 time=0.265 ms
64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=3 ttl=64 time=0.254 ms
64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=4 ttl=64 time=0.101 ms
64 bytes from rac2.localdomain (192.168.0.102): icmp_seq=5 ttl=64 time=0.321 ms

--- rac2.localdomain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.109/0.255/0.331/0.081 ms
Remote host reachability check succeeded.
The following hosts are reachable: rac1 rac2.
The following hosts are not reachable: .
All hosts are reachable. Proceeding further...
firsthost rac1
numhosts 2
<span style="color: #ff0000;">The script will setup SSH connectivity from the host rac1 to all</span>
<span style="color: #ff0000;">the remote hosts</span>. After the script is executed, the user can use SSH to run
commands on the remote hosts or copy files between this host rac1
and the remote hosts without being prompted for passwords or confirmations.

NOTE 1:
As part of the setup procedure, this script will use ssh and scp to copy
files between the local host and the remote hosts. Since the script does not
store passwords, you may be prompted for the passwords during the execution of
the script whenever ssh or scp is invoked.

NOTE 2:
AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE
directories.

Do you want to continue and let the script make the above mentioned changes (yes/no)?
<span style="color: #ff0000;">yes</span>

The user chose yes
User chose to skip passphrase related questions.
Creating .ssh directory on local host, if not present already
Creating authorized_keys file on local host
Changing permissions on authorized_keys to 644 on local host
Creating known_hosts file on local host
Changing permissions on known_hosts to 644 on local host
Creating config file on local host
If a config file exists already at /home/oracle/.ssh/config, it would be backed up to /home/oracle/.ssh/config.backup.
Removing old private/public keys on local host
Running SSH keygen on local host with empty passphrase
Generating public/private rsa key pair.
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
de:e3:66:fa:16:e8:6e:36:fd:c5:e3:77:75:07:9a:b0 oracle@rac1
Creating .ssh directory and setting permissions on remote host rac1
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oracle. THIS IS AN SSH REQUIREMENT.
The script would create ~oracle/.ssh/config file on remote host rac1. If a config file exists already at ~oracle/.ssh/config, it would be backed up to ~oracle/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac1.
Warning: Permanently added 'rac1,192.168.0.101' (RSA) to the list of known hosts.
oracle@rac1's password:
Done with creating .ssh directory and setting permissions on remote host rac1.
Creating .ssh directory and setting permissions on remote host rac2
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oracle. THIS IS AN SSH REQUIREMENT.
The script would create ~oracle/.ssh/config file on remote host rac2. If a config file exists already at ~oracle/.ssh/config, it would be backed up to ~oracle/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host rac2.
Warning: Permanently added 'rac2,192.168.0.102' (RSA) to the list of known hosts.
oracle@rac2's password:
Done with creating .ssh directory and setting permissions on remote host rac2.
Copying local host public key to the remote host rac1
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac1.
oracle@rac1's password:
Done copying local host public key to the remote host rac1
Copying local host public key to the remote host rac2
The user may be prompted for a password or passphrase here since the script would be using SCP for host rac2.
oracle@rac2's password:
Done copying local host public key to the remote host rac2
cat: /home/oracle/.ssh/known_hosts.tmp: No such file or directory
cat: /home/oracle/.ssh/authorized_keys.tmp: No such file or directory
SSH setup is complete.

------------------------------------------------------------------------
Verifying SSH setup
===================
The script will now run the date command on the remote nodes using ssh
to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,
THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR
PASSWORDS. If you see any output other than date or are prompted for the
password, ssh is not setup correctly and you will need to resolve the
issue and set up ssh again.
The possible causes for failure could be:
1. The server settings in /etc/ssh/sshd_config file do not allow ssh
for user oracle.
2. The server may have disabled public key based authentication.
3. The client public key on the server may be outdated.
4. ~oracle or ~oracle/.ssh on the remote host may not be owned by oracle.
5. User may not have passed -shared option for shared remote users or
may be passing the -shared option for non-shared remote users.
6. If there is output in addition to the date, but no password is asked,
it may be a security alert shown as part of company policy. Append the
additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.
------------------------------------------------------------------------
--rac1:--
Running /usr/bin/ssh -x -l oracle rac1 date to verify SSH connectivity has been setup from local host to rac1.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Wed Dec 22 15:40:10 GMT 2010
------------------------------------------------------------------------
--rac2:--
Running /usr/bin/ssh -x -l oracle rac2 date to verify SSH connectivity has been setup from local host to rac2.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Wed Dec 22 15:40:10 GMT 2010
------------------------------------------------------------------------
SSH verification complete.
$
You should now be able to SSH and SCP between servers without entering passwords.
Security
Host level security can be controlled using the Linux firewall, as shown previously.
User and group level security can be controlled by editing the "/etc/ssh/sshd_config", adding the AllowUsers or AllowGroups entries.
AllowUsers user1 user2
AllowGroups developers
Remember to restart or reload the service after making any changes.
# service sshd reload
For more information see:

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)