SSH user equivalence Configuration

Configure SSH for user equivalence
During Oracle RAC 10g installation, oui needs to copy files to other hosts in the cluster and execute programs on them. To allow Oui to complete this task, you must configure SSH to enable user equivalence. Using SSH to establish user equivalence provides a safe way to copy files and execute programs on other hosts in the cluster without requiring a password prompt.

The first step is to generate the SSH public key and private key. The SSH protocol has two versions. Version 1 uses RSA and Version 2 uses DSA, so we will create these two types of keys to ensure that SSH can use any version. The SSH-keygen program generates any type of public key and private key based on the parameters passed to it.

When you run ssh-keygen, you are prompted to enter a location for saving the key. When prompted, you only need to press enter to accept the default value. You will be prompted to enter a password phrase. Enter the password you can remember, and then enter the password again for confirmation. After completing the following steps ~ The/. Ssh directory contains four files: id_rsa, id_rsa.pub, id_dsa, and id_dsa.pub. The id_rsa and id_dsa files are your private keys. Do not tell anyone. The id_rsa.pub and id_dsa.pub files are your public keys and must be copied to each of the other hosts in the cluster.

Log on to each host as an oracle user:

Mkdir ~ /. SSH
Chmod 755 ~ /. SSH
/Usr/bin/ssh-keygen-T RSA
Cut and paste the following rows:
/Usr/bin/ssh-keygen-T DSA
For example:
$ Mkdir ~ /. SSH
$ Chmod 755 ~ /. SSH
$/Usr/bin/ssh-keygen-T RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/home/Oracle/. Ssh/id_rsa ):
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
Your identification has been saved in/home/Oracle/. Ssh/id_rsa.
Your public key has been saved in/home/Oracle/. Ssh/id_rsa.pub.
The key fingerprint is:
4b: DF: 76: 77: 72: BA: 31: CD: C4: E2: 0C: E6: EF: 30: FC: 37 oracle@ds1.orademo.org

$/Usr/bin/ssh-keygen-T DSA
Generating public/private DSA key pair.
Enter file in which to save the key (/home/Oracle/. Ssh/id_dsa ):
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
Your identification has been saved in/home/Oracle/. Ssh/id_dsa.
Your public key has been saved in/home/Oracle/. Ssh/id_dsa.pub.
The key fingerprint is:
AF: 37: CA: 69: 3C: A0: 08: 97: CB: 9C: 0b: B0: 20: 70: E3: 4A oracle@ds1.orademo.org
Now, you must copy the id_rsa.pub and id_dsa.pub public key files on each host to ~ /. Ssh/authorized_keys file. Use SSH to copy the content of each file ~ /. Ssh/authorized_keys file. Note that when you use SSH to access a remote host for the first time, its RSA key is unknown, prompting you to confirm whether you want to connect to the host. SSH will record the RSA key of the remote host, and will not prompt when connecting to the host later.
Log on to the first host as an oracle user (copy the key of the local account so that SSH to connect to the local host can work ):

Cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
Cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys

SSH Oracle @ DS2 cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
(If you want to cut and paste these commands, run them separately. Each time SSH prompts you to enter the Oracle password. If you paste these commands at the same time, the first command refresh the input buffer before prompting you to enter the password, leading to loss of other commands .)
SSH Oracle @ DS2 cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys

Chmod 644 ~ /. Ssh/authorized_keys
For example:
$ Cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
$ Cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys
$ SSH Oracle @ DS2 cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
The authenticity of host 'ds2 (192.168.200.52) 'can't be established.
RSA key fingerprint is D1: 23: A7: DF: C5: FC: 4E: 10: D2: 83: 60: 49: 25: E8: EB: 11.
Are you sure you want to continue connecting (Yes/No )? Yes
Warning: Permanently added 'ds2, 192.168.200.52 '(RSA) to the list of known hosts.
Oracle @ DS2's password:
$ SSH Oracle @ DS2 cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys
Oracle @ DS2's password:
$ Chmod 644 ~ /. Ssh/authorized_keys
The second host is now processed in the same way. Please note that this SSH will prompt you to enter the password phrase used when creating the key instead of the Oracle password. This is because the first host (ds1) now knows the public key of the second host, while SSH currently uses a different authentication protocol.
Cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
Cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys

SSH Oracle @ ds1 cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys

SSH Oracle @ ds1 cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys

Chmod 644 ~ /. Ssh/authorized_keys
For example:
$ Cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
$ Cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys
$ SSH Oracle @ ds1 cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
The authenticity of host 'ds1 (192.168.200.51) 'can't be established.
RSA key fingerprint is BD: 0e: 39: 2a: 23: 2D: CA: F9: Ea: 71: F5: 3D: D3: DD: 3B: 65.
Are you sure you want to continue connecting (Yes/No )? Yes
Warning: Permanently added 'ds1, 192.168.200.51 '(RSA) to the list of known hosts.
Enter passphrase for key'/home/Oracle/. Ssh/id_rsa ':
$ SSH Oracle @ ds1 cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys
Enter passphrase for key'/home/Oracle/. Ssh/id_rsa ':
$ Chmod 644 ~ /. Ssh/authorized_keys
Establish user equivalence
Finally, enter passwords and passphrases in the process of generating keys, copying files, and repeat (is security interesting ?) After all these tasks are completed, you can establish user equivalence. You are not prompted to enter a password when you establish a user equivalence.

On the node (ds1) where the Oracle 10g software is to be installed as an oracle user:

Exec/usr/bin/ssh-agent $ Shell
/Usr/bin/ssh-add
For example:
$ Exec/usr/bin/ssh-agent $ Shell
$/Usr/bin/ssh-add
Enter passphrase for/home/Oracle/. Ssh/id_rsa:
Identity added:/home/Oracle/. Ssh/id_rsa (/home/Oracle/. Ssh/id_rsa)
Identity added:/home/Oracle/. Ssh/id_dsa (/home/Oracle/. Ssh/id_dsa)
(Note that the user equivalence is only for the current session. If you switch to another session or log out and log on again, you must run ssh-agent and SSH-add again to re-establish user equivalence .)
Test connectivity

If everything is correctly set, you can now use SSH to log on to, execute programs, and copy files on other cluster hosts without having to enter a password. Verify the user equivalence by running simple commands such as date on the remote cluster Host:

$ SSH DS2 date
Sun Jun 27 19:07:19 CDT 2004
It is important to test the connectivity of all servers in each direction. This ensures that the following messages are not displayed when the Oui tries to copy files during CRS and database software installation. The message appears only when the operation is performed for the first time on the remote node. Therefore, by testing the connectivity, you not only ensure the normal operation of the remote operation, but also complete the initial security key exchange.
The authenticity of host 'ds2 (192.168.200.52) 'can't be established.
RSA key fingerprint is 8f: A3: 19: 76: CA: 4f: 71: 85: 42: C2: 7A: da: EB: 53: 76: 85.
Are you sure you want to continue connecting (Yes/No )? Yes