各种格式SSH 公钥和私钥之间的转换

前天给客户安装环境，没想到在生成SSH密钥上耽误很多时间。

先从一个实验开始吧。

先生成密钥对，公钥为/tmp/key.pub，私钥为/tmp/key。命令行选项中 -t表示key type，-b表示key的bit数，在puttygen中也是使用这样的组合，即RSA， 2048。

$ ssh-keygen -t rsa -N "" -b 2048  -f /tmp/key
Generating public/private rsa key pair.
Your identification has been saved in /tmp/key.
Your public key has been saved in /tmp/key.pub.
The key fingerprint is:
SHA256:tEKCPeGEeACopFxSLc0gp2qRgcJlbd7nI85PQqKxZWg vagrant@ol7-vagrant
The key's randomart image is:
+---[RSA 2048]----+
|B=oBO            |
|=+XB B           |
|*=+ O o .        |
|+.. .= o o       |
|.. E +..S        |
|. . * oo o       |
|   o  o....      |
|       oo        |
|        ..       |
+----[SHA256]-----+

这里产生的私钥默认是兼容性更好的PEM格式。如果加-o选项，则生成的是OpenSSH格式的私钥。

$ file /tmp/key
/tmp/key: PEM RSA private key
$ cat /tmp/key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA9wAa7Z+rNh6hqbL0CFfC4zwjSoRn5Pos8fcP2AuuyjdSLZS6
I9Sd6KpE9iWeYrRDgNnEwCCCg5g+UmaPo1r7bzkfaCivmFslqj0nT7KxQo7sinSV
Ir20awwAHsI0hfdKJVs+stpLaXWtsvb9jTSBNgKGJ8RWVGVQUZgfLZU4bTb6J8PU
n8S6r6AUkWpbhhEF0pMQYrJir3CV0B0yYpNbKZGRLbRxmeBG5s8tgitiWOUcUCty
JJgY7r5mWAiO2NSNtTz9ZeZcUA7P+eZqreCR8OvWooZ3LcahdiVJg1tnkxv7KNrB
biDOgfOzjKwMu7zUQDw+J8kjpKMfwf4c4SiyOQIDAQABAoIBAQDhkCYHRN3s0XJe
776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31b4tBpk9S9wwXTFkD5d9c
Dq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6ZKE8g3CDJFpeea32ctEvI
+Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tNumvoRFOtyJ5oVnyCeHru
vWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+ZubYwxT5cUY573KxO70hy
ClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePyO3PAU42HhXYv6qRubazO
Ddm6AnwRAoGBAPyo8y8ELwCIujAgifNeMcSCpHkDv9DkOPk2E6l/lR+3qrZLmOQs
bywsfLDvgpRzAUIlKzWRaHp2f2+071MX2ChQvh/JxbIHIEnwJXjd/1hzF8oCmOWF
LVVmR06NjwA6IqwWVCZZ7OEUVtu/iTNLf0n6efhTtrKjrnEQl7BhMP8VAoGBAPpE
AJMIL+eEuqdQXXEoI/wxV8J6oavNAD9IyTgZHau4DiDp6RaByIVlDZWmpDfCU7xA
7d3uJfwFLhNsAzEx8UYwyTrKu9u0J+ZA1cWePBwH2eF5FEM+1H0ZunqsRvADsnhd
fyloKr6m+1LczGKsFsL06luaatH6IgFLrPoKag+VAoGAYODDRi7bet/yTEvduWRP
vuK8/+3RGd64fc4fYemam2vIWFfKSwtCoXR5ZzqfHh6ux9cKp2KW5gYTvRhqf7jv
2B2FmRi75hRXbCJZq+urYhXXdEzkpXUYOdua0eLzhwnDi6qQH5hxfKhY2a+qgvGa
4BnbtL0cm4ipdY8AKtBJgjUCgYEAxFtuh+44h9IgEP6BEjOIaGrejHxjNMSXmQ+m
sRkjqoOysihU9Y/GoML0saIZ3pXd1SqsdyBPNTlrOVnZ91NUFtpYSISgeHUViRb9
oxvP1b5jOQEi4M//MFhrc6yPy+lasg3Jo9dTEls5fX437oNPKI+5AT5a6Xz0CUgy
48wgAzECgYAn15ctkpAhZVNhx+pgkJmsCd7kNAZaPNuWWrejemlzypEy7aN7KVlT
gfF1/tJOgu6PVKVAVfvDT1ipVV36hTHkFDeWjP0vfZ+CN+ym8DcHE8XwPuCy4bhY
bLjCLvyEMpUI6/cJ6a4jCXAI1bweHcV0UpBIS1n65/eSGD0JGy3Esg==
-----END RSA PRIVATE KEY-----

$ file /tmp/key.pub
/tmp/key.pub: OpenSSH RSA public key
$ cat /tmp/key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5 vagrant@ol7-vagrant

这里生成的PEM RSA格式的私钥，可以import到puttygen中生成putty使用的PPK格式的私钥，如下：

PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx
9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWq
PSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBR
mB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebm
zy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2
JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5
Private-Lines: 14
AAABAQDhkCYHRN3s0XJe776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31
b4tBpk9S9wwXTFkD5d9cDq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6Z
KE8g3CDJFpeea32ctEvI+Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tN
umvoRFOtyJ5oVnyCeHruvWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+Z
ubYwxT5cUY573KxO70hyClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePy
O3PAU42HhXYv6qRubazODdm6AnwRAAAAgQD8qPMvBC8AiLowIInzXjHEgqR5A7/Q
5Dj5NhOpf5Uft6q2S5jkLG8sLHyw74KUcwFCJSs1kWh6dn9vtO9TF9goUL4fycWy
ByBJ8CV43f9YcxfKApjlhS1VZkdOjY8AOiKsFlQmWezhFFbbv4kzS39J+nn4U7ay
o65xEJewYTD/FQAAAIEA+kQAkwgv54S6p1BdcSgj/DFXwnqhq80AP0jJOBkdq7gO
IOnpFoHIhWUNlaakN8JTvEDt3e4l/AUuE2wDMTHxRjDJOsq727Qn5kDVxZ48HAfZ
4XkUQz7UfRm6eqxG8AOyeF1/KWgqvqb7UtzMYqwWwvTqW5pq0foiAUus+gpqD5UA
AACAJ9eXLZKQIWVTYcfqYJCZrAne5DQGWjzbllq3o3ppc8qRMu2jeylZU4Hxdf7S
ToLuj1SlQFX7w09YqVVd+oUx5BQ3loz9L32fgjfspvA3BxPF8D7gsuG4WGy4wi78
hDKVCOv3CemuIwlwCNW8Hh3FdFKQSEtZ+uf3khg9CRstxLI=
Private-MAC: dfd25e12c37694bbf51cdcd0dd71c8f77c0ae63d

顺带说一下，PEM表示Privacy Enhanced Mail，PPK表示PuTTY Private Key。这两种都是私钥格式。PEM实际上是一种特定的BASE64编码。参见这里

将OpenSSH格式公钥转换为SSH2格式，即RFC 4716格式：

$ ssh-keygen -e -f /tmp/key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by vagrant@ol7-vagrant from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC6
7KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyK
dJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxL
qvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZY
CI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vN
RAPD4nySOkox/B/hzhKLI5
---- END SSH2 PUBLIC KEY ----

将SSH2 格式公钥转换为PEM：

$ ssh-keygen -e -f /tmp/key > key.ssh2
$ ssh-keygen -i -f key.ssh2 > key.pem
$ cat key.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5

$ file key.pem
key.pem: OpenSSH RSA public key

将OpenSSH格式公钥转换为PEM格式：

$ ssh-keygen -f /tmp/key.pub -e -m pem

私钥除了PEM格式，还有一个OpenSSH格式。如文档描述：

-m key_format
             Specify a key format for key generation, the -i (import), -e
             (export) conversion options, and the -p change passphrase oper‐
             ation.  The latter may be used to convert between OpenSSH pri‐
             vate key and PEM private key formats.  The supported key for‐
             mats are: “RFC4716” (RFC 4716/SSH2 public or private key),
             “PKCS8” (PKCS8 public or private key) or “PEM” (PEM public
             key).  By default OpenSSH will write newly-generated private
             keys in its own format, but when converting public keys for
             export the default format is “RFC4716”.  Setting a format of
             “PEM” when generating or updating a supported private key type
             will cause the key to be stored in the legacy PEM private key
             format.

使用-p选项可以将PEM和OpenSSH格式互相转换。

# 从OpenSSH到PEM
ssh-keygen -p -N "" -m pem -f /path/to/key
# 从PEM到OpenSSH
ssh-keygen -p -N ""  -f /path/to/key

总结一下，私钥的格式有PEM, OpenSSH和PPK 3种。公钥的格式有OpenSSH和SSH2两种。

对于私钥，PPK是putty程序用的，这种格式和其它格式的转换通过puttygen来做。puttygen只能import PEM格式的，但可以转换成openssh格式的。PEM和OpenSSH之间的转换通过ssh-keygen -p来做。

对于公钥，OpenSSH，SSH2，PEM之间通过ssh-keygen -e或-i来转换。 ~/.ssh/authorized_keys中存放的公钥是OpenSSH格式。OCI中API Signing Key使用PKCS8格式的公钥。如下：

$ ssh-keygen -f /tmp/key.pub -e -m PKCS8
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4qbA9YzAhibGhHqLR4+k
9hEthtZkGMNw95AzEkmZ22q6sVAm0+EOS4iNPNxZkX1Dn9rDztn0n9pBGzet1V6Y
ul7q2wpael/YUk7MM+qGvBNp87RoXmZ17B3BVPAlVPol1q3PV4iWSuHs1RrY2HmJ
I2T4yZKcjtHOManI32Hl2Czo6upswUlZVeQ5pwI2g/wFjjyUwaRaB5CiKN8GjjNp
TKwdOt89GcOfZbo54f9yu9L/FbISGMfFi8DVdMHnLPgtpCvmpJ3aa5BvligMEOB2
5KT+DN7Eu+Bsbl2w3tkhvsa11AHVX+ZAdqPG40NAG7JtJouEvLYS17pI1kOVAO1v
pwIDAQAB
-----END PUBLIC KEY-----

那天在客户处出现的问题就是因为Oracle公有云(OCI)生成的私钥和私钥都是OpenSSH格式的。所以私钥无法直接导入puttygen，需要先转换为PEM格式才可导入。
————————————————

原文链接：https://blog.csdn.net/stevensxiao/article/details/109381001