这篇博客详细介绍了如何配置Linux-HA的心跳认证密钥文件,包括设置密钥用于签名传出包、定义签名传入包的方式。推荐使用SHA1等安全的签名方法,并给出了更改集群中密钥的步骤,以及自动生成密钥的shell脚本。同时强调了密钥的安全性和不可读写性,以及保持节点间密钥一致的重要性。
From Linux-HA
Configuring authkeys
The authkeys configuration file contains information for Heartbeat to use when authenticating cluster members. It cannot be readable or writable by anyone other than root.
Two lines are required in the authkeys file:
A line which says which key to use in signing outgoing packets.
One or more lines defining how incoming packets might be being signed.
auth 1
1 sha1 PutYourSuperSecretKeyHere
In this sample file, the auth 1 directive says to use key number 1 for signing outgoing packets. The 1 sha1... line describes how to sign the packets. The fields in this line are as follows:
1 - the key number associated with this line.
sha1 - the key signature method.
PutYourSuperSecretKeyHere - shared secret key[1] to use in signing packets. This key must be the same on all nodes except as noted below.
Normally, the key number would be 1, and the first line would say auth 1.
NOTE
We do not recommend that you use the crc method unless all your communication is across serial lines and crossover cables.
List of supported signature methods
We currently support these signature methods:
sha1 - SHA1 hash method (requires a key)
md5 - MD5 hash method (requires a key)
crc - CRC hash method - insecure - does not require a key
To get an absolutely up-to-date list of authentication methods supported, run this command
ls /usr/lib*/heartbeat/plugins/HBauth/*.so
Changing Keys in the Cluster
To change keys without restarting heartbeat, the following procedure must be followed:
Choose a new authentication method. I'll refer to the chosen authentication method as authmethod.
Append a new number authmethod line to the authkeys file. The number on this line is fairly arbitrary, but it must be unique in the file and between 1 and 15 inclusive.
Copy this authkeys file to each node in the cluster.
On each node, issue a /etc/init.d/heartbeat reload command.
Change the first line to say auth number to match the new number added in step 2 above.
Copy this authkeys file to each node in the cluster.
On each node, issue a /etc/init.d/heartbeat reload command.
Wait for 500 heartbeat intervals.
Remove the original authnumber authmethod line from the file (not the one added to the file in step 2 above).
Copy this authkeys file to each node in the cluster.
On each node, issue a /etc/init.d/heartbeat reload command.
This is a little odd, but it works...
Generating authkeys Automatically
Since the key in /etc/ha.d/authkeys file never has to be typed by a human being, it is not necessary for it to be in any way mnemonic or memorable. As a result a long, randomly generated key is a good choice.
The following line of shell script will generate such a key:
cat </etc/ha.d/authkeys
# Automatically generated authkeys file
auth 1
1 sha1 `dd if=/dev/urandom count=4 2>/dev/null | md5sum | cut -c1-32`
!AUTH
Or for SHA1:
dd if=/dev/urandom count=4 2>/dev/null | openssl dgst -sha1
See Also
1304
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
