使用Oracle的sshUserSetup.sh脚本配置SSH互信

不管是在Oracle的GRID安装包，还是DB安装包里都有个脚本(sshUserSetup.sh)，用于配置机器之间的SSH互信。配置互信，不仅仅在安装RAC需要配置。有时候我们需要配置ssh互信的时候，用这个脚本就很方便，不用敲那么命令了，直接用于脚本即可。

1 配置SSH

脚本大家都有，这里主要介绍用法。在脚本里，最上面有介绍用法：

Usage sshUserSetup.sh -user <user name> [ -hosts /"<space separated hostlist>/" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ] [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase]

如：

eg. sshUserSetup.sh -hosts "host1 host2" -user njerath -advanced

-hosts 表示：需要配置互信的服务器ip

-user 表示：用于远程登录到服务器上的用户名

-advanced 表示：hosts里的主机，每两个主机之间都是互信的。如果不加-advanced，例如：本机是HOST-A

在本机执行./sshUserSetup.sh -user aime -hosts A B C。那么就是HOST-A->A, HOST-A->B, HOST-A->C 的互信关系。A,B,C之间是不互信的。

注意：本地主机对远程主机的SSH互信，是单向的。不管加不加-advanced，如果A主机SSH 到主机HOST-A，那么还是要输入密码。如果想本地主机和远程之间SSH互信，那么把本地主机IP加入到host中即可。 -hosts “HOST-A host1 host2”

1.1 具体例子

这里用户都是root

1.2 本地主机ip

[root@localhost sshsetup]# ifconfigeth0Link encap:Ethernet HWaddr 08:00:27:5C:99:99 inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0

1.2.1 本地主机向所有远程服务器互信，远程主机之间不互信

没有加 -advanced

[root@localhost sshsetup]# ./sshUserSetup.sh -user root -hosts '192.168.1.3 192.168.1.4'The output of this script is also logged into /tmp/sshUserSetup_-02-22-15-40-10.logHosts are 192.168.1.3 192.168.1.4user is rootPlatform:- LinuxChecking if the remote hosts are reachablePING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=1.77 ms64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=1.03 ms64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.829 ms64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=1.13 ms64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.986 ms--- 192.168.1.3 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4007msrtt min/avg/max/mdev = 0.829/1.149/1.770/0.325 msPING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=1.65 ms64 bytes from 192.168.1.4: icmp_seq=2 ttl=64 time=0.760 ms64 bytes from 192.168.1.4: icmp_seq=3 ttl=64 time=1.00 ms64 bytes from 192.168.1.4: icmp_seq=4 ttl=64 time=0.967 ms64 bytes from 192.168.1.4: icmp_seq=5 ttl=64 time=0.861 ms--- 192.168.1.4 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4008msrtt min/avg/max/mdev = 0.760/1.049/1.659/0.317 msRemote host reachability check succeeded.The following hosts are reachable: 192.168.1.3 192.168.1.4.The following hosts are not reachable: .All hosts are reachable. Proceeding further...firsthost 192.168.1.3numhosts 2The script will setup SSH connectivity from the host localhost.localdomain to allthe remote hosts. After the script is executed, the user can use SSH to runcommands on the remote hosts or copy files between this host localhost.localdomainand the remote hosts without being prompted for passwords or confirmations.NOTE 1:As part of the setup procedure, this script will use ssh and scp to copyfiles between the local host and the remote hosts. Since the script does notstore passwords, you may be prompted for the passwords during the execution ofthe script whenever ssh or scp is invoked.NOTE 2:AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORYAND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEGES TO THESEdirectories.Do you want to continue and let the script make the above mentioned changes (yes/no)?yesThe user chose yesPlease specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. noThe estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion.Enter 'yes' or 'no'.yesThe user chose yesCreating .ssh directory on local host, if not present alreadyCreating authorized_keys file on local hostChanging permissions on authorized_keys to 644 on local hostCreating known_hosts file on local hostChanging permissions on known_hosts to 644 on local hostCreating config file on local hostIf a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup.Removing old private/public keys on local hostRunning SSH keygen on local hostEnter passphrase (empty for no passphrase):Enter same passphrase again:Generating public/private rsa key pair.Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:38:1d:89:e5:3f:3e:4a:9d:1f:3f:e1:87:e7:41:a6:06 root@localhost.localdomainThe key's randomart image is:+--[ RSA 1024]----+| . || + . ||. + || o o ||o S oE o || . o o. = || . = .+ + || . . o.o+ +|| . . .=.|+-----------------+Creating .ssh directory and setting permissions on remote host 192.168.1.3THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.The script would create ~root/.ssh/config file on remote host 192.168.1.3. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.The user may be prompted for a password here since the script would be running SSH on host 192.168.1.3.Warning: Permanently added '192.168.1.3' (RSA) to the list of known hosts.root@192.168.1.3's password:Done with creating .ssh directory and setting permissions on remote host 192.168.1.3.Creating .ssh directory and setting permissions on remote host 192.168.1.4THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.The script would create ~root/.ssh/config file on remote host 192.168.1.4. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.The user may be prompted for a password here since the script would be running SSH on host 192.168.1.4.Warning: Permanently added '192.168.1.4' (RSA) to the list of known hosts.root@192.168.1.4's password:Done with creating .ssh directory and setting permissions on remote host 192.168.1.4.Copying local host public key to the remote host 192.168.1.3The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.3.root@192.168.1.3's password: --输入远程服务器对应用户的密码Done copying local host public key to the remote host 192.168.1.3Copying local host public key to the remote host 192.168.1.4The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.4.root@192.168.1.4's password:Done copying local host public key to the remote host 192.168.1.4The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.SSH setup is complete.------------------------------------------------------------------------Verifying SSH setup===================The script will now run the date command on the remote nodes using sshto verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FORPASSWORDS. If you see any output other than date or are prompted for thepassword, ssh is not setup correctly and you will need to resolve theissue and set up ssh again.The possible causes for failure could be:1. The server settings in /etc/ssh/sshd_config file do not allow sshfor user root.2. The server may have disabled public key based authentication.3. The client public key on the server may be outdated.4. ~root or ~root/.ssh on the remote host may not be owned by root.5. User may not have passed -shared option for shared remote users ormay be passing the -shared option for non-shared remote users.6. If there is output in addition to the date, but no password is asked,it may be a security alert shown as part of company policy. Append theadditional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.--------------------------------------------------------------------------192.168.1.3:--Running /usr/bin/ssh -x -l root 192.168.1.3 date to verify SSH connectivity has been setup from local host to 192.168.1.3.IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.Wed Feb 22 15:45:12 CST --------------------------------------------------------------------------192.168.1.4:--Running /usr/bin/ssh -x -l root 192.168.1.4 date to verify SSH connectivity has been setup from local host to 192.168.1.4.IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.Wed Feb 22 15:48:02 CST ------------------------------------------------------------------------SSH verification complete.

1.2.2 验证

1.2.2.1 本机对所有远程服务器单向SSH

[root@localhost sshsetup]# ifconfigeth0Link encap:Ethernet HWaddr 08:00:27:5C:99:99 inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0[root@localhost sshsetup]# ssh 192.168.1.3 dateWed Feb 22 15:47:09 CST [root@localhost sshsetup]# ssh 192.168.1.4 dateWed Feb 22 15:50:02 CST

1.2.2.2 远程服务器之间验证

[root@web ~]# ifconfigeth0Link encap:Ethernet HWaddr 40:8D:5C:E5:AD:08 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0[root@web ~]# ssh 192.168.1.3 dateroot@192.168.1.3's password:

可以看到，需要输入密码。

1.3 配置所有远程主机之间的SSH互信

[root@localhost sshsetup]# ./sshUserSetup.sh -user root -hosts '192.168.1.3 192.168.1.4' -advancedThe output of this script is also logged into /tmp/sshUserSetup_-02-22-15-46-13.logHosts are 192.168.1.3 192.168.1.4user is rootPlatform:- LinuxChecking if the remote hosts are reachablePING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.858 ms64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=1.01 ms64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.945 ms64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.994 ms64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.948 ms--- 192.168.1.3 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4007msrtt min/avg/max/mdev = 0.858/0.952/1.016/0.057 msPING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=0.823 ms64 bytes from 192.168.1.4: icmp_seq=2 ttl=64 time=0.918 ms64 bytes from 192.168.1.4: icmp_seq=3 ttl=64 time=1.02 ms64 bytes from 192.168.1.4: icmp_seq=4 ttl=64 time=0.807 ms64 bytes from 192.168.1.4: icmp_seq=5 ttl=64 time=1.01 ms--- 192.168.1.4 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4005msrtt min/avg/max/mdev = 0.807/0.918/1.023/0.092 msRemote host reachability check succeeded.The following hosts are reachable: 192.168.1.3 192.168.1.4.The following hosts are not reachable: .All hosts are reachable. Proceeding further...firsthost 192.168.1.3numhosts 2The script will setup SSH connectivity from the host localhost.localdomain to allthe remote hosts. After the script is executed, the user can use SSH to runcommands on the remote hosts or copy files between this host localhost.localdomainand the remote hosts without being prompted for passwords or confirmations.NOTE 1:As part of the setup procedure, this script will use ssh and scp to copyfiles between the local host and the remote hosts. Since the script does notstore passwords, you may be prompted for the passwords during the execution ofthe script whenever ssh or scp is invoked.NOTE 2:AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORYAND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEGES TO THESEdirectories.Do you want to continue and let the script make the above mentioned changes (yes/no)?yesThe user chose yesPlease specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. noThe estimated number of times the user would be prompted for a passphrase is 4. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion.Enter 'yes' or 'no'.yesThe user chose yesThe files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys.Press 'yes', 'no' or 'change'yesThe user chose yesCreating .ssh directory on local host, if not present alreadyCreating authorized_keys file on local hostChanging permissions on authorized_keys to 644 on local hostCreating known_hosts file on local hostChanging permissions on known_hosts to 644 on local hostCreating config file on local hostIf a config file exists already at /root/.ssh/config, it would be backed up to /root/.ssh/config.backup.Removing old private/public keys on local hostRunning SSH keygen on local hostEnter passphrase (empty for no passphrase):Enter same passphrase again:Generating public/private rsa key pair.Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:f5:fd:97:37:c6:83:50:a3:31:d0:f6:94:45:33:50:e8 root@localhost.localdomainThe key's randomart image is:+--[ RSA 1024]----+| .. .B* ||.o + o||oo+o || . .=E. || S o. . || . o..|| . *+|| . =|| |+-----------------+Creating .ssh directory and setting permissions on remote host 192.168.1.3THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.The script would create ~root/.ssh/config file on remote host 192.168.1.3. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.The user may be prompted for a password here since the script would be running SSH on host 192.168.1.3.Warning: Permanently added '192.168.1.3' (RSA) to the list of known hosts.root@192.168.1.3's password:Done with creating .ssh directory and setting permissions on remote host 192.168.1.3.Creating .ssh directory and setting permissions on remote host 192.168.1.4THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR root. THIS IS AN SSH REQUIREMENT.The script would create ~root/.ssh/config file on remote host 192.168.1.4. If a config file exists already at ~root/.ssh/config, it would be backed up to ~root/.ssh/config.backup.The user may be prompted for a password here since the script would be running SSH on host 192.168.1.4.Warning: Permanently added '192.168.1.4' (RSA) to the list of known hosts.root@192.168.1.4's password:Done with creating .ssh directory and setting permissions on remote host 192.168.1.4.Copying local host public key to the remote host 192.168.1.3The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.3.root@192.168.1.3's password:Done copying local host public key to the remote host 192.168.1.3Copying local host public key to the remote host 192.168.1.4The user may be prompted for a password or passphrase here since the script would be using SCP for host 192.168.1.4.root@192.168.1.4's password:Done copying local host public key to the remote host 192.168.1.4Creating keys on remote host 192.168.1.3 if they do not exist already. This is required to setup SSH on host 192.168.1.3.Creating keys on remote host 192.168.1.4 if they do not exist already. This is required to setup SSH on host 192.168.1.4.Generating public/private rsa key pair.Your identification has been saved in .ssh/id_rsa.Your public key has been saved in .ssh/id_rsa.pub.The key fingerprint is:88:b1:d4:49:1e:df:ea:f5:d6:c9:27:a4:a1:8b:6c:c4 root@webThe key's randomart image is:+--[ RSA 1024]----+|o||+ + . || o + . .|| . + . . || o ..S . . . || .E. o * . || .. . + = .|| ... o o || .o .|+-----------------+Updating authorized_keys file on remote host 192.168.1.3Updating known_hosts file on remote host 192.168.1.3The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.Updating authorized_keys file on remote host 192.168.1.4Updating known_hosts file on remote host 192.168.1.4The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.SSH setup is complete.------------------------------------------------------------------------Verifying SSH setup===================The script will now run the date command on the remote nodes using sshto verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FORPASSWORDS. If you see any output other than date or are prompted for thepassword, ssh is not setup correctly and you will need to resolve theissue and set up ssh again.The possible causes for failure could be:1. The server settings in /etc/ssh/sshd_config file do not allow sshfor user root.2. The server may have disabled public key based authentication.3. The client public key on the server may be outdated.4. ~root or ~root/.ssh on the remote host may not be owned by root.5. User may not have passed -shared option for shared remote users ormay be passing the -shared option for non-shared remote users.6. If there is output in addition to the date, but no password is asked,it may be a security alert shown as part of company policy. Append theadditional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file.--------------------------------------------------------------------------192.168.1.3:--Running /usr/bin/ssh -x -l root 192.168.1.3 date to verify SSH connectivity has been setup from local host to 192.168.1.3.IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.The script will run SSH on the remote machine 192.168.1.3. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.Wed Feb 22 15:50:58 CST --------------------------------------------------------------------------192.168.1.4:--Running /usr/bin/ssh -x -l root 192.168.1.4 date to verify SSH connectivity has been setup from local host to 192.168.1.4.IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.The script will run SSH on the remote machine 192.168.1.4. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase.Wed Feb 22 15:53:48 CST ------------------------------------------------------------------------------------------------------------------------------------------------Verifying SSH connectivity has been setup from 192.168.1.3 to 192.168.1.3IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.Wed Feb 22 15:50:59 CST ------------------------------------------------------------------------------------------------------------------------------------------------Verifying SSH connectivity has been setup from 192.168.1.3 to 192.168.1.4IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL.Wed Feb 22 15:53:49 CST -------------------------------------------------------------------------Verification from complete-SSH verification complete.

1.3.1 验证

1.3.1.1 本机向远程主机SSH

[root@localhost sshsetup]# ifconfigeth0Link encap:Ethernet HWaddr 08:00:27:5C:99:99 inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0[root@localhost sshsetup]# ssh 192.168.1.4 dateWed Feb 22 15:54:37 CST [root@localhost sshsetup]# ssh 192.168.1.3 dateWed Feb 22 15:51:51 CST

1.3.1.2 远程主机之间SSH互信

[root@web ~]# ifconfigeth0Link encap:Ethernet HWaddr 40:8D:5C:E5:AD:08 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.[root@web ~]# ssh 192.168.1.3 date 02月 22日 星期三 15:52:32 CST

主机192.168.1.3

[root@dg2 ~]# ifconfigeth0Link encap:Ethernet HWaddr 40:8D:5C:E4:69:4B inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0[root@dg2 ~]# ssh 192.168.1.4 dateWed Feb 22 16:01:49 CST