This site best when viewed with a modern standards-compliant browser. We recommend Firefox Get Firefox!.

Linux-HA project logo
Providing Open Source High-Availability Software for Linux and other OSes since 1999.

USA Flag UK Flag

Japanese Flag

ホームページ

サイトについて

コンタクト情報

使用条件

協力方法

セキュリティ

This web page is no longer maintained. Information presented here exists only to avoid breaking historical links.
The Project stays maintained, and lives on: see the Linux-HA Reference Documentation.
To get rid of this notice, you may want to browse the old wiki instead.

2010.1.28
追加パッケージ集リニューアル
追加パッケージ集は、こちらから

2008.8.28
RHEL用rpm更新
更新情報はこちらから

2008.8.18
Heartbeat 2.1.4
リリース!
Downloadはこちらから

2007.11.13
Linux-ha-japan日本語ML移植しました

2007.10.5
日本語サイトOPEN
日本語MLも開設しました

2007.10.5
OSC2007 Tokyo/Fall で Heartbeat紹介
発表資料を公開しました

Last site update:
2017-11-24 22:03:56

Configuring authkeys

The authkeys configuration file contains information for Heartbeat to use when authenticating cluster members. It cannot be readable or writable by anyone other than root.

Two lines are required in the authkeys file:

  1. A line which says which key to use in signing outgoing packets.

  2. One or more lines defining how incoming packets might be being signed.

    auth 1 
    1 sha1 PutYourSuperSecretKeyHere

In this sample file, the auth 1 directive says to use key number 1 for signing outgoing packets. The 1 sha1... line describes how to sign the packets. The fields in this line are as follows:

  • 1 - the key number associated with this line.

  • sha1 - the key signature method.

  • PutYourSuperSecretKeyHere - shared secret key[1] to use in signing packets. This key must be the same on all nodes except as noted below.

Normally, the key number would be 1, and the first line would say auth 1.

NOTE

We do not recommend that you use the crc method unless all your communication is across serial lines and crossover cables.

List of supported signature methods

We currently support these signature methods:

  • sha1 - SHA1 hash method (requires a key)
  • md5 - MD5 hash method (requires a key)
  • crc - CRC hash method - insecure - does not require a key

To get an absolutely up-to-date list of authentication methods supported, run this command

ls /usr/lib*/heartbeat/plugins/HBauth/*.so

Changing Keys in the Cluster

To change keys without restarting heartbeat, the following procedure must be followed:

  1. Choose a new authentication method. I'll refer to the chosen authentication method

    as authmethod.

  2. Append a new number authmethod line to the authkeys file. The number on this line is fairly arbitrary, but it must be unique in the file and between 1 and 15 inclusive.

  3. Copy this authkeys file to each node in the cluster.
  4. On each node, issue a /etc/init.d/heartbeat reload command.

  5. Change the first line to say auth number to match the new number added in step 2 above.

  6. Copy this authkeys file to each node in the cluster.
  7. On each node, issue a /etc/init.d/heartbeat reload command.

  8. Wait for 500 heartbeat intervals.
  9. Remove the original authnumber authmethod line from the file (not the one added to the file in step 2 above).

  10. Copy this authkeys file to each node in the cluster.
  11. On each node, issue a /etc/init.d/heartbeat reload command.

This is a little odd, but it works...

See Also

GeneratingAuthkeysAutomatically, ha.cf, haresources, Configuring Heartbeat