Enabling the execution of remote commands (Linux® and UNIX)
Starting from version 11.5.6, you must set up SSH keys to connect between nodes without using a password.
Before you begin
In a partitioned database system, each database partition server must have the authority to perform remote commands on all the other database partition servers participating in an instance. You can grant this authority by adding each ssh public key to the authorized keys file of each machine. Because the home directory for the instance is on the shared Db2® home file system, only one pair of keys is required for the instance.
About this task
This topic describes how to enable execution of remote commands using SSH. You can also use rsh to enable execution of remote commands. For more information, refer to Setting up a partitioned database environment.
Use of rsh is not recommended because it does not meet modern security standards. For information on using rsh, refer to Enabling the execution of remote commands using rsh (Linux and UNIX).
- Set up public key-based authentication.
Public key-based authentication enables a single user ID to log in as that same user ID on each host in the instance without being prompted for a password. If the user ID has a ~/.ssh directory, ensure that it does not allow group or other write access. Ensure that the home directory for the user does not allow group or other write access. This situation is considered a security exposure and if the directory permissions are not restrictive enough, public key-based authentication will not be allowed through SSH.
Having an existing ~/.ssh directory is not required, as using the ssh-keygen command creates the necessary ~/.ssh file directory and sets up the appropriate access.From your ~/.ssh directory, generate a public key/private key pair. For example, to generate ssh key using RSA:
ssh-keygen -t rsa
When prompted for input, press Enter to accept the default empty value.
Ensure that no passphrase is entered, otherwise you will be asked to do so each SSH authentication attempt. The Db2 database does not allow remote shell utilities to prompt for additional verification.
This action generates two new files in the ~/.ssh directory, id_rsa (the private key) and id_rsa.pub (the public key) for RSA encryption.Note: Other encryption types are also supported. However, it is recommended to use RSA encryption as it is more secure.
- Once generated, append the contents of the public key to a single file called
authorized_keys. Then, copy the authorized_keys file to the user's ~/.ssh directory on each host and run the chmod 644 authorized_keys command from the Db2 instance owner user ID.