1 2 Previous Next 16 Replies Latest reply: May 6, 2012 4:18 PM by onedbguru RSS

    disbale password prompt for manual SSH setup in Centos 5.7

    932792
      Hi,

      I am trying to set up SSH Manually in Oarcle RAC 11.2 before I run the cluster installer.

      I have created the authorizationkeys on RAC 1 and RAC2.
      When I try to transfer the keys to a tmp directory in rac2 using scp command, it is asking for rac2s password.

      That should not be the case right?

      Can someone please tell me how to disable the password check while connecting from rac1 to rac2.

      I tried changing sshd_config file but to no avail

      However i am able to send the .tmp file sucessfully from rac2 to rac1. when doing that there is no prompt for password.

      Could someone help me please?
        • 1. Re: disbale password prompt for manual SSH setup in Centos 5.7
          Levi Pereira
          Hi,

          Follow this steps

          Execute on all nodes
          $ mkdir ~/.ssh
          $ chmod 700 ~/.ssh
          $ /usr/bin/ssh-keygen -t dsa
           
          $ /usr/bin/ssh-keygen -t rsa
           
          At the prompts, accept the default location for the key file (press Enter). 
           
          SSH with passphrase is not supported for Oracle Clusterware 11g release 2 and later releases.
           
          Enter passphrase (empty for no passphrase): [press enter]
          On node 1
          $ cd ~/.ssh
          $ cat id_dsa.pub >> authorized_keys
          $ cat id_rsa.pub >> authorized_keys
          $ ssh oracle@node2 cat ~/.ssh/id_rsa.pub  >> ~/.ssh/authorized_keys
          $ ssh oracle@node2 cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
          $ chmod 644 ~/.ssh/authorized_keys
          On node 2:
          $ ssh oracle@node1 cat ~/.ssh/authorized_keys >> ~/.ssh/authorized_key
          $ chmod 644 ~/.ssh/authorized_keys
          Test your configuration using all Hostnames.

          Hope this helps,
          Levi Pereira
          • 2. Re: disbale password prompt for manual SSH setup in Centos 5.7
            932792
            HI

            I tried as you had mentioned : but after the following step i am getting a prompt for passwd:

            [oracle@falcen6a .ssh]$ cat id_dsa.pub >> authorized_keys
            [oracle@falcen6a .ssh]$ cat id_rsa.pub >> authorized_keys
            [oracle@falcen6a .ssh]$ ssh oracle@rac2 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
            The authenticity of host 'rac2 (192.168.100.219)' can't be established.
            RSA key fingerprint is 08:c1:93:43:34:d4:22:df:4e:47:7c:08:82:45:bb:14.
            Are you sure you want to continue connecting (yes/no)? yes
            Warning: Permanently added 'rac2,192.168.100.219' (RSA) to the list of known hosts.
            oracle@rac2's password:

            Please tell me what to do.
            • 3. Re: disbale password prompt for manual SSH setup in Centos 5.7
              Levi Pereira
              Hi,

              Try remove dir ".ssh" from both nodes and make a clear setup.
              $ rm -rf ~/.ssh
              Levi Pereira
              • 4. Re: disbale password prompt for manual SSH setup in Centos 5.7
                onedbguru
                The 11gR2 installer has a button to SETUP the SSH. I think that the pre-req is that you execute ssh-keygen -t rsa on all nodes first. I have manually configured it and would have it working, but then Oracle installer would complain, so I would have it do the setup, then everything would start working.
                • 5. Re: disbale password prompt for manual SSH setup in Centos 5.7
                  932792
                  HI Levi Pereira,

                  I deleted both the .ssh directory from both the nodes, but I think I messed up something in my settings while I was trying out various options, now it is not even allowing me to transfer the key files from rac2 to rac1.

                  this is the output of var/log.

                  I googled and tried a number of solutions for " gssapi-with-mic" error. but none seems to be working.


                  [oracle@falcen6b .ssh]$ ssh -v rac1
                  OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
                  debug1: Reading configuration data /etc/ssh/ssh_config
                  debug1: Applying options for *
                  debug1: Connecting to rac1 [192.168.100.218] port 22.
                  debug1: Connection established.
                  debug1: identity file /home/oracle/.ssh/identity type -1
                  debug1: identity file /home/oracle/.ssh/id_rsa type 1
                  debug1: identity file /home/oracle/.ssh/id_dsa type 2
                  debug1: loaded 3 keys
                  debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
                  debug1: match: OpenSSH_4.3 pat OpenSSH*
                  debug1: Enabling compatibility mode for protocol 2.0
                  debug1: Local version string SSH-2.0-OpenSSH_4.3
                  debug1: SSH2_MSG_KEXINIT sent
                  debug1: SSH2_MSG_KEXINIT received
                  debug1: kex: server->client aes128-ctr hmac-md5 none
                  debug1: kex: client->server aes128-ctr hmac-md5 none
                  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
                  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
                  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
                  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
                  debug1: Host 'rac1' is known and matches the RSA host key.
                  debug1: Found key in /home/oracle/.ssh/known_hosts:2
                  debug1: ssh_rsa_verify: signature correct
                  debug1: SSH2_MSG_NEWKEYS sent
                  debug1: expecting SSH2_MSG_NEWKEYS
                  debug1: SSH2_MSG_NEWKEYS received
                  debug1: SSH2_MSG_SERVICE_REQUEST sent
                  debug1: SSH2_MSG_SERVICE_ACCEPT received
                  debug1: Authentications that can continue: publickey,gssapi-with-mic
                  debug1: Next authentication method: gssapi-with-mic
                  debug1: Unspecified GSS failure. Minor code may provide more information
                  No credentials cache found

                  debug1: Unspecified GSS failure. Minor code may provide more information
                  No credentials cache found

                  debug1: Unspecified GSS failure. Minor code may provide more information
                  No credentials cache found

                  debug1: Next authentication method: publickey
                  debug1: Trying private key: /home/oracle/.ssh/identity
                  debug1: Offering public key: /home/oracle/.ssh/id_rsa
                  debug1: Authentications that can continue: publickey,gssapi-with-mic
                  debug1: Offering public key: /home/oracle/.ssh/id_dsa
                  debug1: Authentications that can continue: publickey,gssapi-with-mic
                  debug1: No more authentication methods to try.
                  Permission denied (publickey,gssapi-with-mic).
                  [oracle@falcen6b .ssh]$
                  [oracle@falcen6b .ssh]$

                  Could you please tell me what I should do next?
                  • 6. Re: disbale password prompt for manual SSH setup in Centos 5.7
                    932792
                    Hi onedbguru,

                    So it is enough if I both the nodes have both the set of keys?

                    But now I am not even able to transfer the keys.

                    I have posted my error. any sggestions?

                    PS - this is the first time I am setting up Oracle RAC and I have no previous experience in Linux.

                    I apologise if my questions are too elementary.
                    • 7. Re: disbale password prompt for manual SSH setup in Centos 5.7
                      onedbguru
                      The first time you transfer the keys, you will need to provide the password.

                      Make sure the directory permissions are correct.

                      /home/oracle 770
                      /home/oracle/.ssh 600
                      /home/oracle/.ssh/authorized_keys 644


                      If you are having that many problems, start with a clean slate. On BOTH nodes, mv /home/oracle/.ssh /home/oracle/.ssh.old (preserve the current directory)

                      on node1
                      ssh-keygen -t rsa
                      ssh-keygen -t dsa
                      (no it does not hurt to have both types of keys!)

                      on node2
                      ssh-keygen -t rsa
                      ssh-keygen -t dsa
                      (no it does not hurt to have both types of keys!)
                      cd .ssh
                      cat *.pub >> authorized_keys

                      on node1
                      cd .ssh
                      ssh-copy-id -i id_rsa.pub oracle@node2
                      password
                      ssh-copy-id -i id_dsa.pub oracle@node2
                      [should not require password]
                      scp oracle@node2:.ssh/authorized_keys $HOME/.ssh


                      Once that is complete, for the PUBLIC, SCAN and INTERCONNECT you want to do the following:

                      on node1
                      ssh <ip-public-address-node1> date
                      ssh <hostname-node1> date
                      ssh <FQN-hostname-node1> date
                      ssh <ip-private-address-node1> date
                      ssh <hostname-private-node1> date
                      Repeat for node 2 addresses - from node1 - answer yes for each unknown hosts

                      copy node1 known hosts to other node

                      Edited by: onedbguru on Apr 28, 2012 7:52 PM
                      • 8. Re: disbale password prompt for manual SSH setup in Centos 5.7
                        932792
                        HI,

                        Should this be done while logged in as root or oracle?
                        • 9. Re: disbale password prompt for manual SSH setup in Centos 5.7
                          932792
                          Hi,

                          While logged in as a oracle user, after creating the keys i am getting a permission denied error when I try to change the permission for the .ssh directory.

                          I am able to chnge the permission only when i change to root user using the su-root command.

                          Is this the right way ?
                          • 10. Re: disbale password prompt for manual SSH setup in Centos 5.7
                            932792
                            Now my error is :

                            open home/oracle/.ssh/id_rsa failed: Permission denied
                            • 11. Re: disbale password prompt for manual SSH setup in Centos 5.7
                              932792
                              Hi,

                              rac1 is not able to access the authorized_keys folder of rac2.

                              bash: .ssh/authorized_keys : Permission denied.

                              I have set the permission as required.

                              Anything else I need to do?
                              • 12. Re: disbale password prompt for manual SSH setup in Centos 5.7
                                932792
                                Hi onedbguru,

                                Now after I enter the password for the first time, I am being prompted for the password the second time also.

                                Please could you tell me what I should check?
                                • 13. Re: disbale password prompt for manual SSH setup in Centos 5.7
                                  932792
                                  Hi onedbguru,

                                  I installed a new VM from scratch and followed your steps:

                                  on node1
                                  cd .ssh
                                  ssh-copy-id -i id_rsa.pub oracle@node2
                                  password
                                  ssh-copy-id -i id_dsa.pub oracle@node2
                                  [should not require password]

                                  If i am getting prompted for the password the second time, is there any config file setting I should change?
                                  This is what I am getting:

                                  ssh-copy-id -i id_dsa.pub oracle@rac2
                                  10
                                  oracle@rac2`password :
                                  • 14. Re: disbale password prompt for manual SSH setup in Centos 5.7
                                    onedbguru
                                    The permissions on the .ssh directories should be:

                                    700 oracle:dba /home/oracle (oracle user home as defined in /etc/passwd)
                                    700 oracle:dba /home/oracle/.ssh


                                    If you mis-configured them, only root can fix them.

                                    My instructions were to be executed as the oracle user.

                                    If you can't get it corrected - run the runInstaller - on the page of configuring the hostnames there is a "SETUP SSH" button. Use it.
                                    1 2 Previous Next