Overview of rcp, its shortcomings, and how it was replaced by SSH. User accounts have attributes that can be altered. Each user account has a set of associated attributes. These attributes are created from default values when a user is created by using the mkuser command. The attributes can be altered by using the chuser command. The following are the user attributes that control login and are not related to password quality. The rcp (remote copy) program was a tool for copying files to/from remote computers. It has since been superceded by ssh, particularly the scp tool. Everyone who still has rcp enabled is encouraged to immediately disable it for important security reasons.
Posted Apr 21, 2006
By Tarry Singh
A Brief Pep talk: Continuing the preparation
In part 9, we covered several topics such as Swap Space, Memory, Semaphores, File handles and Hangcheck-timer. A good thing about being familiar with all the components that make Oracle RAC work is that you, as a DBA, become more interested in the technologies involved in it, and that makes learning a fun thing.
Let's get on to installing the rest of it. We will pick up from where we left in the last article.
- Remote access checks (both rsh,rcp – not recommended and ssh,scp – recommended)
Rcp Ssh
Remote Access : Secure (SSH &SCP) and Non-Secure (RSH & RCP)
There are two ways of doing things--the secure way and the non-secure way. Since version 10g R1, Oracle has included support for SSH and thus instead of using rsh and rcp, you can use ssh and scp; 's' as you guessed stands for secure. The rsh and rcp commands are not required for RAC but for installation and patchset installation to copy files across nodes.
Installation of SSH must be done before you begin Oracle installation.
SSH and SCP way
Ok let's see how we can install the SSH suite. If you saw my article about the NXMachine then you can guess about the public and private key mechanism. Now SSH (secure shell) must be configured for oracle
user on all cluster nodes. OUI uses ssh
and scp
commands during installation to run (secure) remote commands and (securely) copy files to the other cluster nodes.
Is SSH running on my server? (These are generally disabled by default). Oracle uses OpenSSH version 3 (There is already version 4.3 as of this writing). Now if ssh and scp are not available, it defaults to rsh and rcp. Do configure SSH in such a way that these commands do not prompt for a password.
Do I have my SSH installed?
Rcp Ssh
Do this when logged on as 'oracle' userm
In addition, for the manual do 'man sshd' to get enough on that information on SSHD.
Having checked that, we go ahead using ssh-keygen creating both RSA and DSA keys. What does the ssh-keygen do? According to the manual:
Rcp Ssh List
'ssh-keygen generates, manages and converts authentication keys for ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2 connections. ssh-keygen is also used to generate groups for use in Diffie-Hellman group exchange (DH-GEX).
Creating RSA and DSA keys on each node:
1. You should be logged as the 'oracle'
user.
2. Create an .ssh
directory in the oracle
user's home (directory) with appropriate permissions:
3. Enter the following commands to generate an RSA key for version 2 of the SSH protocol:
Accept the default locations for key file, enter passphrase twice and you are done. This command writes the public key to the ~/.ssh/id_rsa.pub
file and the private key to the ~/.ssh/id_rsa
file.
4. To generate a DSA key for version 2 of the SSH protocol, do the following:
Never distribute the private key to anyone! (If you deal with security, you know this is the best way to get all wet and naked for a hacker!)
~Edit the authorized_keys on every node. For instance, if you have 4 nodes your authorized_keys file (located in /.ssh/ ) will have eight entries. If you do not have 'authorized_keys', doing this will create it:
~Do a cat for local and remote keys :
~Do a word count per node, they all must have 8 lines:
~Copy the keys across nodes using scp protocol:
This should go seamlessly, without issuing passwords. You will be prompted to edit your oracle user password if you didn't do the cat. If you did the cat for local and remote keys, you get to enter the passphrase once. The moment the nodes establish the SSH protocol, they know of each other's private keys that unlock the public keys (so to speak):
~Setting up Oracle user equivalence: (I forgot the dsa passphrase for a while).
~ Testing your Oracle user equivalence by doing this on all nodes:
This should now go seamlessly.
In order to ensure that X11 forwarding will not hinder the installation process , create a user-level SSH client configuration file for the Oracle software owner user, as follows: Using gedit for instance, edit or create the ~oracle/.ssh/config
file. Make sure that the ForwardX11 attribute is set to no
. For instance:
Remember that OUI must run from this same session or remember to repeat the steps when running OUI from another terminal.
RSH and RCP method
To learn more about RSH and RCP see this. It is important to note is that both SSH and RSH build trust among nodes using host equivalency.
~Check for the binaries:
~If not ,install them (or yum it):
~Edit the 'disable' attribute in the /etc/xinetd.d/rsh file to set it to 'no' and xinetd must be reloaded. Do this on ALL NODES:
~Create hosts equiv files on all nodes for host equivalency (in order to establish trust among the nodes) as /etc/hosts.equiv file on all cluster nodes by doing:
Edit the file:
Do I have the correct version of RSH?
We do not want Kerberos rsh so we do the following:
~Run the following command from the node from where you will be doing the installation:
Conclusion:
Well you can never say enough about security and get away with it. Securing your Oracle database is like securing your house. You would not want anything to go wrong with it. The private and public keys infrastructure helps us secure our traffic. OpenSSH is a major player and almost every big application has it running. Amazingly enough, it is open source (meaning free)! In our next article, we will continue with our preparations. I will write more on OpenSSH and Oracle on my Oracle Blog.
»See All Articles by ColumnistTarry Singh
Rcp Ssh 2020
Rcp Ssh Program
Latest Forum Threads | |||
Oracle Forum | |||
Topic | By | Replies | Updated |
Oracle Data Mining: Classification | jan.hasller | 0 | July 5th, 07:19 AM |
Find duplicates - Unique IDs | Lava | 5 | July 2nd, 08:30 AM |
no matching unique or primary key | rcanter | 1 | April 25th, 12:32 PM |
Update values of one table based on condition of values in other table using Trigger | Gladiator | 3 | February 29th, 06:01 PM |