Job Management Partner 1/Performance Management - Remote Monitor for Platform Description, User's Guide and Reference

2.2.5 SSH connection setting method

This subsection describes how to set SSH connection. For SSH authentication, the public key authentication method is used.

To connect SSH, you need the following settings:

Enabling the SSH server's public key authentication
Specify this setting at the monitored hosts.

Creating keys
Specify this setting at the PFM - RM host.

Placing the private key on the PFM - RM host
Specify this setting at the PFM - RM host.

Placing the public key on the monitored hosts
Specify this setting at the monitored hosts.

The following figure shows the concept of public key authentication.

Figure 2-13 Concept of public key authentication

There are two ways to perform public key authentication in a cluster system. One is by using the same key for both executing and standby nodes, and the other is by using different keys.

To use the same key for both executing and standby nodes, copy the standby node's key file to the executing node's key file by overwriting. The following figure shows the concept of public key authentication using the same key.

Figure 2-14 Concept of public key authentication (using the same key for both executing and standby nodes)

To use different keys for the executing and standby nodes, you must register the key files for both the executing node and the standby node into the monitored hosts. The following figure shows the concept of public key authentication using different keys.

Figure 2-15 Concept of public key authentication (using different keys for executing and standby nodes)

Organization of this subsection

(1) Enabling the SSH server's public key authentication

(2) Creating keys

(3) Placing the public key on the monitored hosts

(4) Checking the connection and performing fingerprint authentication

(1) Enabling the SSH server's public key authentication

To enable public key authentication:
Log on to the monitored host as a superuser.

Open /etc/ssh/sshd_config.

Set PubkeyAuthentication to yes.
Execute the following command to restart the sshd service:
[root@TargetHost.ssh]$ /etc/rc.d/init.d/sshd restart
Reference note

To log on as a superuser and collect information, open /etc/ssh/sshd_config and then set PermitRootLogin to yes. After that, restart the sshd service.

(2) Creating keys

Keys are created automatically. Although you can create keys manually, we recommend that you use the keys that are created automatically unless otherwise necessary.

(a) Creating keys automatically

When you install PFM - RM for Platform, both private and public keys are created automatically in /opt/jp1pc/agt7/.ssh/.

The following table lists and describes the storage directory for the private and public keys, the file names, and the settings.

Table 2-25 Storage directory for the private and public keys, the file names, and settings

No. Storage directory and file name Attribute Owner Description

1 /opt/jp1pc/agt7/.ssh/ -- 700 root:root Hidden directory for storing private and public keys

2 agt7 600 Private key file

3 agt7.pub 644 Public key file

Legend:

--: Not applicable

(b) Creating keys manually

This subsection describes how to create keys manually.

You can create keys by logging on to the PFM - RM host as a superuser and then executing the ssh-keygen command. The only difference between RSA and DSA encryption is the encryption algorithms; their operation methods are the same.

To create RSA keys:

Log on to the PFM - RM host as a superuser.

Execute the ssh-keygen -t rsa command.
This command creates an RSA key.
To create a DSA key, specify the -s dsa option instead of the -t rsa option.

Determine the destination and name of the private key.
By default, ~/.ssh/id_rsa(RSA) is set.

Press the Enter key twice.
When you are asked to enter a pass phrase for the private key, press the Enter key without entering anything. When re-entry is prompted, press the Enter key again without entering anything.

The following shows an example of ssh-keygen -t rsa command execution:
 
[root@HOST]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ssh-user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ssh-user/.ssh/id_rsa.
Your public key has been saved in /home/ssh-user/.ssh/id_rsa.pub.
The key fingerprint is:
ax:xx:xx:xx:xx:bx:xx:xc:xx:xx:xx:xd:xd:xa:ed:xx root@HOST
 
Notes about creating keys

Securely manage information about private keys.

Creation of keys (a pair of public and private keys) should not introduce any problem in any environment or tool because it does not depend on environments or tools. However, after creating keys, you must place the private and public keys appropriately.

No.	Storage directory and file name	Attribute	Owner	Description
1	/opt/jp1pc/agt7/.ssh/	--	700	root:root	Hidden directory for storing private and public keys
2	agt7	600	Private key file
3	agt7.pub	644	Public key file

(3) Placing the public key on the monitored hosts

Place the public key created in (2) Creating keys on the monitored hosts. When there are multiple monitored hosts, be sure to perform this procedure on all of them.

To place the public key on a monitored host:

Log on to the monitored host as a remote user.

Move to the .ssh directory.
If the .ssh directory dos not exist, create it. For the directory attribute, specify 700.

Execute the scp command.
The public key file that has already been created is received.

Execute the cat command.
The contents of the public key file are redirected to the authentication key file. Also, the contents of the received public key file are added to the authentication key file.
The name of the authentication key file is set by AuthorizedKeysFile of /etc/ssh/sshd_config. By default, ~/.ssh/ authorized_keys is set.

Delete the received public key file.

Execute the chmod command to change the attribute of the private key file to 600.

The following shows an example of executing the scp, cat, and chmod commands:
 
[ClientUser@TargetHost ]$ cd .ssh
[ClientUser@TargetHost .ssh]$ scp root@RMHost:/opt/jp1pc/agt7/.ssh/agt7.pub .
root@RMHost's password: entering-password
agt7.pub                                 100%  233     0.2KB/s   00:00
[ClientUser@TargetHost .ssh]$ cat agt7.pub >> authorized_keys
[ClientUser@TargetHost .ssh]$ rm agt7.pub
[ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys
 

(4) Checking the connection and performing fingerprint authentication

To check whether the PFM - RM host and a monitored host can connect to each other:

Log on to the PFM - RM host as a superuser.

Using the created private key, execute the ssh client command on the monitored host.
The connection process begins.

During the initial connection, perform fingerprint authentication.
Register the fingerprint of the public key of the monitored host.

If connection is established successfully without entering anything, the SSH connection setting is completed.

If an error occurs or an entry is requested, check if the procedure was executed correctly.

The following shows an example of the settings for checking the connection:
 
[root@RMHost]$ /usr/bin/ssh -i /opt/jp1pc/agt7/.ssh/agt7 -p 22 ssh-user@TargetHost
The authenticity of host 'TargetHost (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'TargetHost,xxx.xxx.xxx.xxx' (RSA) to the list of known hosts.
Last login: Mon Mar 23 17:17:52 2009 from xxx.xxx.xxx.xxx
[ssh-user@TargetHost ~]$ exit
logout
 
Connection to TargetHost closed.
[root@RMHost]$
Note

PFM - RM for Platform assumes that fingerprint authentication has already been completed. Because you can register a fingerprint during the initial SSH client connection, we recommend that you complete the procedure described here at that point.

[Contents][Back][Next]

[Trademarks]