ORACLE之RAC搭建过程9-配置grid和oracle用户互信

为何使用手动方法选项来配置 SSH 用户等效性？

CVU (runcluvfy.sh) 是一个非常有用的工具，位于 Oracle 集群件的根目录下。
该工具不仅检查是否满足了软件安装前的所有前提条件，还能够生成称作“修复脚本”的 shell 脚本程序，从而解决许多不满足系统配置要求的问题。然而，CVU 确实有它自己的前提条件，那就是为运行安装的用户帐户正确配置 SSH 用户等效性。如果您打算使用 OUI 配置 SSH 连接，就要知道 CVU 实用程序将会失败，它没有机会执行任何关键检查。

使用grid用户执行：

[grid@rac1 ~]$ cd /oracle/soft/grid/
[grid@rac1 grid]$ ./runcluvfy.sh stage -pre crsinst -fixup -n rac1,rac2 -verbose

下面以root用户配置互信为例：

1、生成密钥对

[root@rac1 ~]# rm -f ~/.ssh/*
[root@rac1 ~]# /usr/bin/ssh-keygen -t dsa
//一直回车
//id_dsa.pub 公钥 =》锁 =》服务端
//id_dsa 私钥 =》钥匙 =》客户端

2、所有节点的公钥id_dsa.pub合并生成一个文件authorized_keys。

[root@rac1 ~]# cd .ssh
[root@rac1 .ssh]# cat id_dsa.pub >> authorized_keys
[grid@rac1 .ssh]$ ll
total 12
-rw-r–r-- 1 grid oinstall 599 Feb 17 09:36 authorized_keys
-rw------- 1 grid oinstall 672 Feb 17 09:33 id_dsa
-rw-r–r-- 1 grid oinstall 599 Feb 17 09:33 id_dsa.pub

公钥id_dsa.pub的内容：
[root@rac1 .ssh]# cat id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAPoRsb6SF5gZI1PuoEy6QbrVbUopCyEsuMUIxSSQx0T4cjgZYoU0hO41MkgagHwR8b1ptRMRbhi12WePXlunrlcxJlGIPT3vC/KJEYIco2xsA90weqAUjsOmuLrfDjLsHpwT2jScTVcx/OagNTBTch/OfpvD5QJu3sUQid179tATAAAAFQCnJjfT3LE3kxd5Y6Ba3Q3ApptCxQAAAIEAxwkyAxo7tnECVOWBqO6XWPs0w1C/pX2+lJvbbcMAdO8phg0H1gBWf+8Dv3HwxbLaHSs1pU9dOVat5IHcwlU6Dq16Hr8S6Vo9DopA5xeg1ooI6ZRAzCWI0Nwbp105pKPAPEiONCYmxsV75656uypiccP7+PAiZh4SyBXLBVW5vtoAAACBANNP5LzC2pXJaZpD8bINO7LF1lDqFwop38LpYuPGY9i5yIFTN9j9U//Qgg7pMEM/+V0bxKWYVsNHWpRZusF5J/P9/ZWDAKkPhGdcwiyUBK/Uy46eBqKu5rPKZojGXfGFoY6rAq76tjKjbUNrxJKzlpChH5bA986onOAG7PgD4wCf grid@rac1
[root@rac2 .ssh]# cat id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAMhg08Cx3eUcu9gyq9vEWvPTSfLLEaNWaRf3/a3veQyunnYZa+aj/PSKZ2ZHL0s80llPki5ta75pnoROdq9wUh1VOxYjxGcwXlQlJ/vUYndbC5NjEe/gBcBIooOLg3vSTKpOszTDzweSM5t03HAjJLtnx76P6xuQdW8zIwJbkepxAAAAFQDPkU5wkgbSzgabtQrTBO7FJxxNNwAAAIEAtLrFFD/Wi/LSHOezWdW4oQL00OC7RItBvFlSM4fPmK+XioBrrNhxF1Zm6QoUdr4l+MqPpDUM60f0B2FbyCbYnfG0ZkzgadXqyK8hfDydRHkt12H0n5gbIa77c7h9R3DhFo4cQ0hZQUcK9h3YMkfQH0XHBb+gZ4jBvLdIL7ER8l0AAACBAL9j9aVM/+PL/PNirl5gZ9yoj/iCY8vmiBlhrssMohDT0vGoDxPDAtcSRDiHidaZKZB5ZyKQMj3wMyG+GYL/Pogebrat0Zjy0RB5O/1k8/X8Q091Bi9M8vSxqpeO/I+ubhUmwJLMtUribFuMtTHFlGYRFidwa2U4h4q1q20ygTZN grid@rac2

两个节点，生成一个文件authorized_keys
cat > ~/.ssh/authorized_keys <<EOF
ssh-dss AAAAB3NzaC1kc3MAAACBAPoRsb6SF5gZI1PuoEy6QbrVbUopCyEsuMUIxSSQx0T4cjgZYoU0hO41MkgagHwR8b1ptRMRbhi12WePXlunrlcxJlGIPT3vC/KJEYIco2xsA90weqAUjsOmuLrfDjLsHpwT2jScTVcx/OagNTBTch/OfpvD5QJu3sUQid179tATAAAAFQCnJjfT3LE3kxd5Y6Ba3Q3ApptCxQAAAIEAxwkyAxo7tnECVOWBqO6XWPs0w1C/pX2+lJvbbcMAdO8phg0H1gBWf+8Dv3HwxbLaHSs1pU9dOVat5IHcwlU6Dq16Hr8S6Vo9DopA5xeg1ooI6ZRAzCWI0Nwbp105pKPAPEiONCYmxsV75656uypiccP7+PAiZh4SyBXLBVW5vtoAAACBANNP5LzC2pXJaZpD8bINO7LF1lDqFwop38LpYuPGY9i5yIFTN9j9U//Qgg7pMEM/+V0bxKWYVsNHWpRZusF5J/P9/ZWDAKkPhGdcwiyUBK/Uy46eBqKu5rPKZojGXfGFoY6rAq76tjKjbUNrxJKzlpChH5bA986onOAG7PgD4wCf grid@rac1
ssh-dss AAAAB3NzaC1kc3MAAACBAMhg08Cx3eUcu9gyq9vEWvPTSfLLEaNWaRf3/a3veQyunnYZa+aj/PSKZ2ZHL0s80llPki5ta75pnoROdq9wUh1VOxYjxGcwXlQlJ/vUYndbC5NjEe/gBcBIooOLg3vSTKpOszTDzweSM5t03HAjJLtnx76P6xuQdW8zIwJbkepxAAAAFQDPkU5wkgbSzgabtQrTBO7FJxxNNwAAAIEAtLrFFD/Wi/LSHOezWdW4oQL00OC7RItBvFlSM4fPmK+XioBrrNhxF1Zm6QoUdr4l+MqPpDUM60f0B2FbyCbYnfG0ZkzgadXqyK8hfDydRHkt12H0n5gbIa77c7h9R3DhFo4cQ0hZQUcK9h3YMkfQH0XHBb+gZ4jBvLdIL7ER8l0AAACBAL9j9aVM/+PL/PNirl5gZ9yoj/iCY8vmiBlhrssMohDT0vGoDxPDAtcSRDiHidaZKZB5ZyKQMj3wMyG+GYL/Pogebrat0Zjy0RB5O/1k8/X8Q091Bi9M8vSxqpeO/I+ubhUmwJLMtUribFuMtTHFlGYRFidwa2U4h4q1q20ygTZN grid@rac2
EOF

3、第一次登录输入yes后，将连接信息记录在known_hosts

[grid@rac1 .ssh]$ ssh rac2
The authenticity of host 'rac2 (10.0.0.12)' can't be established.
ECDSA key fingerprint is SHA256:vDXBlKLJKlS5e99QEjd4imfrXFBmWo3W0Nkyl9BC9Vo.
ECDSA key fingerprint is MD5:fe:88:2a:75:c9:b4:95:a6:ee:66:fb:ff:9e:fc:74:3d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac2,10.0.0.12' (ECDSA) to the list of known hosts.
Last login: Wed Feb 17 17:38:26 2021
[grid@rac2 ~]$[grid@rac2 .ssh]$ ssh rac1
The authenticity of host 'rac1 (10.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:M57mn51ErQ6+KH411Y+ZtsIRLuTrsNAr+ajtxTiZP0M.
ECDSA key fingerprint is MD5:44:6f:76:67:94:8b:0e:d0:72:02:95:af:65:c8:0d:1a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rac1,10.0.0.11' (ECDSA) to the list of known hosts.
Last login: Wed Feb 17 09:32:53 2021
[grid@rac1 ~]$

两个节点的 ~/.ssh目录:

[grid@rac1 .ssh]$ ll
total 16
-rw-r--r-- 1 grid oinstall 1198 Feb 17 09:46 authorized_keys
-rw------- 1 grid oinstall  672 Feb 17 09:33 id_dsa
-rw-r--r-- 1 grid oinstall  599 Feb 17 09:33 id_dsa.pub
-rw-r--r-- 1 grid oinstall  176 Feb 17 09:46 known_hosts
[grid@rac1 .ssh]$[grid@rac2 .ssh]$ ll
total 16
-rw-r--r-- 1 grid oinstall 1198 Feb 17 17:41 authorized_keys
-rw------- 1 grid oinstall  672 Feb 17 17:38 id_dsa
-rw-r--r-- 1 grid oinstall  599 Feb 17 17:38 id_dsa.pub
-rw-r--r-- 1 grid oinstall  352 Feb 17 17:47 known_hosts
[grid@rac2 .ssh]$

4、目录文件权限

chmod 700 ~/.ssh # 注：如果权限未设置为 700，SSH 配置将失败。
chmod 744 ~/.ssh/id_dsa.pub
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_dsa

5、root互信，注意ssh允许root登录。

ssh配置文件：/etc/ssh/sshd_config

PermitRootLogin yes
# Only allow root to run commands over ssh, no shell
#PermitRootLogin forced-commands-only#平滑重启ssh
/etc/init.d/sshd reload

两个主机的oracle用户也做同样的免密。