< Previous  | TOC | Index | Next  >

Enabling SSH

The SSH program lets you log into and execute commands on a remote system. SSH enables encrypted communications and an authentication process between two untrusted hosts over an insecure network. SSH is the preferred method of remote communication because it provides a greater level of security than the RSH suite of protocols. Veritas recommends configuring a secure shell environment before installing any Veritas product. The following is an example SSH setup procedure.

  Note   Read the SSH documentation and online manual pages before enabling SSH. Visit the OpenSSH website for more information. Contact your OS support provider for issues regarding SSH configuration.

 To enable SSH

1. Log in as root on the source system from which you want to install the Veritas product.
2. To generate a DSA key pair on the source system, type the following:

# ssh-keygen -t dsa

System output similar to the following is displayed:

Generating public/private dsa key pair.

Enter file in which to save the key (//.ssh/id_dsa):

3. Press Enter to accept the default location of /.ssh/id_dsa. System output similar to the following is displayed:

Enter passphrase (empty for no passphrase):

4. Do not enter a passphrase. Press Enter:

Enter same passphrase again:

Press Enter again.

5. Make sure the /.ssh/ directory is on all the target installation systems. If that directory is missing, create it on the target system:

# mkdir /.ssh

6. Even if the host system is a target for the installation, do the following to complete the SSH configuration. Append the file /.ssh/id_dsa.pub to /.ssh/authorized_keys2 on each target system by invoking the secure file transfer program:

# sftp target_sys

If you are performing this step for the first time on this system, output similar to the following is displayed:

Connecting to target_sys...

The authenticity of host 'target_sys (10.182.00.00)'

can't be established. DSA key fingerprint is

fb:6f:9f:61:91:9d:44:6b:87:86:ef:68:a6:fd:88:7d.

Are you sure you want to continue connecting (yes/no)?

yes

7. Enter yes. Output similar to the following is displayed:

Warning: Permanently added 'target_sys,10.182.00.00'

(DSA) to the list of known hosts.

root@target_sys password:

8. Enter the root password.
9. At the sftp prompt, type the following command:

sftp> put /.ssh/id_dsa.pub

The following output is displayed:

Uploading /.ssh/id_dsa.pub to /id_dsa.pub

10. To quit the SFTP session, type the following command:

sftp> quit

11. To begin the ssh session on the target system, type the following command:

# ssh target_sys

12. Enter the root password at the prompt:

root@target_sys's password:

13. After logging in, enter the following command to append the authorization key to the id_dsa.pub file:

# cat id_dsa.pub >> /.ssh/authorized_keys2

14. To delete the id_dsa.pub public key file after it is copied to the target (host) system and added to the authorized keys file, type the following command:

# rm /id_dsa.pub

15. To log out of the ssh session, type the following command:

# exit

16. When installing from a source system that is also an installation target, add the local system id_dsa.pub key to the local ~/.ssh/authorized_key2 file. The installation can fail if the installation host is not authenticated.
17. Run the following commands on the source installation system. These commands bring the private key into the shell environment and makes the key globally available for the user root:

# exec /usr/bin/ssh-agent $SHELL

# ssh-add

Identity added: //.ssh/id_dsa

This is a shell-specific step and is valid only while the shell is active. You must execute the procedure again if you close the shell during the session.

18. To verify that you can connect to the target system, type the following command:

# ssh -l root target_sys uname -a

The commands should execute on the remote system without the system requesting a passphrase or password. Repeat this step for each target system.