前天给客户安装环境,没想到在生成SSH密钥上耽误很多时间。
先从一个实验开始吧。
先生成密钥对,公钥为/tmp/key.pub,私钥为/tmp/key。命令行选项中 -t表示key type,-b表示key的bit数,在puttygen中也是使用这样的组合,即RSA, 2048。
$ ssh-keygen -t rsa -N "" -b 2048 -f /tmp/key
Generating public/private rsa key pair.
Your identification has been saved in /tmp/key.
Your public key has been saved in /tmp/key.pub.
The key fingerprint is:
SHA256:tEKCPeGEeACopFxSLc0gp2qRgcJlbd7nI85PQqKxZWg vagrant@ol7-vagrant
The key's randomart image is:
+---[RSA 2048]----+
|B=oBO |
|=+XB B |
|*=+ O o . |
|+.. .= o o |
|.. E +..S |
|. . * oo o |
| o o.... |
| oo |
| .. |
+----[SHA256]-----+
这里产生的私钥默认是兼容性更好的PEM格式。如果加-o选项,则生成的是OpenSSH格式的私钥。
$ file /tmp/key
/tmp/key: PEM RSA private key
$ cat /tmp/key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA9wAa7Z+rNh6hqbL0CFfC4zwjSoRn5Pos8fcP2AuuyjdSLZS6
I9Sd6KpE9iWeYrRDgNnEwCCCg5g+UmaPo1r7bzkfaCivmFslqj0nT7KxQo7sinSV
Ir20awwAHsI0hfdKJVs+stpLaXWtsvb9jTSBNgKGJ8RWVGVQUZgfLZU4bTb6J8PU
n8S6r6AUkWpbhhEF0pMQYrJir3CV0B0yYpNbKZGRLbRxmeBG5s8tgitiWOUcUCty
JJgY7r5mWAiO2NSNtTz9ZeZcUA7P+eZqreCR8OvWooZ3LcahdiVJg1tnkxv7KNrB
biDOgfOzjKwMu7zUQDw+J8kjpKMfwf4c4SiyOQIDAQABAoIBAQDhkCYHRN3s0XJe
776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31b4tBpk9S9wwXTFkD5d9c
Dq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6ZKE8g3CDJFpeea32ctEvI
+Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tNumvoRFOtyJ5oVnyCeHru
vWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+ZubYwxT5cUY573KxO70hy
ClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePyO3PAU42HhXYv6qRubazO
Ddm6AnwRAoGBAPyo8y8ELwCIujAgifNeMcSCpHkDv9DkOPk2E6l/lR+3qrZLmOQs
bywsfLDvgpRzAUIlKzWRaHp2f2+071MX2ChQvh/JxbIHIEnwJXjd/1hzF8oCmOWF
LVVmR06NjwA6IqwWVCZZ7OEUVtu/iTNLf0n6efhTtrKjrnEQl7BhMP8VAoGBAPpE
AJMIL+eEuqdQXXEoI/wxV8J6oavNAD9IyTgZHau4DiDp6RaByIVlDZWmpDfCU7xA
7d3uJfwFLhNsAzEx8UYwyTrKu9u0J+ZA1cWePBwH2eF5FEM+1H0ZunqsRvADsnhd
fyloKr6m+1LczGKsFsL06luaatH6IgFLrPoKag+VAoGAYODDRi7bet/yTEvduWRP
vuK8/+3RGd64fc4fYemam2vIWFfKSwtCoXR5ZzqfHh6ux9cKp2KW5gYTvRhqf7jv
2B2FmRi75hRXbCJZq+urYhXXdEzkpXUYOdua0eLzhwnDi6qQH5hxfKhY2a+qgvGa
4BnbtL0cm4ipdY8AKtBJgjUCgYEAxFtuh+44h9IgEP6BEjOIaGrejHxjNMSXmQ+m
sRkjqoOysihU9Y/GoML0saIZ3pXd1SqsdyBPNTlrOVnZ91NUFtpYSISgeHUViRb9
oxvP1b5jOQEi4M//MFhrc6yPy+lasg3Jo9dTEls5fX437oNPKI+5AT5a6Xz0CUgy
48wgAzECgYAn15ctkpAhZVNhx+pgkJmsCd7kNAZaPNuWWrejemlzypEy7aN7KVlT
gfF1/tJOgu6PVKVAVfvDT1ipVV36hTHkFDeWjP0vfZ+CN+ym8DcHE8XwPuCy4bhY
bLjCLvyEMpUI6/cJ6a4jCXAI1bweHcV0UpBIS1n65/eSGD0JGy3Esg==
-----END RSA PRIVATE KEY-----
$ file /tmp/key.pub
/tmp/key.pub: OpenSSH RSA public key
$ cat /tmp/key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5 vagrant@ol7-vagrant
这里生成的PEM RSA格式的私钥,可以import到puttygen中生成putty使用的PPK格式的私钥,如下:
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx
9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWq
PSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBR
mB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebm
zy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2
JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5
Private-Lines: 14
AAABAQDhkCYHRN3s0XJe776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31
b4tBpk9S9wwXTFkD5d9cDq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6Z
KE8g3CDJFpeea32ctEvI+Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tN
umvoRFOtyJ5oVnyCeHruvWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+Z
ubYwxT5cUY573KxO70hyClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePy
O3PAU42HhXYv6qRubazODdm6AnwRAAAAgQD8qPMvBC8AiLowIInzXjHEgqR5A7/Q
5Dj5NhOpf5Uft6q2S5jkLG8sLHyw74KUcwFCJSs1kWh6dn9vtO9TF9goUL4fycWy
ByBJ8CV43f9YcxfKApjlhS1VZkdOjY8AOiKsFlQmWezhFFbbv4kzS39J+nn4U7ay
o65xEJewYTD/FQAAAIEA+kQAkwgv54S6p1BdcSgj/DFXwnqhq80AP0jJOBkdq7gO
IOnpFoHIhWUNlaakN8JTvEDt3e4l/AUuE2wDMTHxRjDJOsq727Qn5kDVxZ48HAfZ
4XkUQz7UfRm6eqxG8AOyeF1/KWgqvqb7UtzMYqwWwvTqW5pq0foiAUus+gpqD5UA
AACAJ9eXLZKQIWVTYcfqYJCZrAne5DQGWjzbllq3o3ppc8qRMu2jeylZU4Hxdf7S
ToLuj1SlQFX7w09YqVVd+oUx5BQ3loz9L32fgjfspvA3BxPF8D7gsuG4WGy4wi78
hDKVCOv3CemuIwlwCNW8Hh3FdFKQSEtZ+uf3khg9CRstxLI=
Private-MAC: dfd25e12c37694bbf51cdcd0dd71c8f77c0ae63d
顺带说一下,PEM表示Privacy Enhanced Mail,PPK表示PuTTY Private Key。这两种都是私钥格式。PEM实际上是一种特定的BASE64编码。参见这里
将OpenSSH格式公钥转换为SSH2格式,即RFC 4716格式:
$ ssh-keygen -e -f /tmp/key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by vagrant@ol7-vagrant from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC6
7KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyK
dJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxL
qvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZY
CI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vN
RAPD4nySOkox/B/hzhKLI5
---- END SSH2 PUBLIC KEY ----
将SSH2 格式公钥转换为PEM:
$ ssh-keygen -e -f /tmp/key > key.ssh2
$ ssh-keygen -i -f key.ssh2 > key.pem
$ cat key.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5
$ file key.pem
key.pem: OpenSSH RSA public key
将OpenSSH格式公钥转换为PEM格式:
$ ssh-keygen -f /tmp/key.pub -e -m pem
私钥除了PEM格式,还有一个OpenSSH格式。如文档描述:
-m key_format
Specify a key format for key generation, the -i (import), -e
(export) conversion options, and the -p change passphrase oper‐
ation. The latter may be used to convert between OpenSSH pri‐
vate key and PEM private key formats. The supported key for‐
mats are: “RFC4716” (RFC 4716/SSH2 public or private key),
“PKCS8” (PKCS8 public or private key) or “PEM” (PEM public
key). By default OpenSSH will write newly-generated private
keys in its own format, but when converting public keys for
export the default format is “RFC4716”. Setting a format of
“PEM” when generating or updating a supported private key type
will cause the key to be stored in the legacy PEM private key
format.
使用-p选项可以将PEM和OpenSSH格式互相转换。
# 从OpenSSH到PEM
ssh-keygen -p -N "" -m pem -f /path/to/key
# 从PEM到OpenSSH
ssh-keygen -p -N "" -f /path/to/key
总结一下,私钥的格式有PEM, OpenSSH和PPK 3种。公钥的格式有OpenSSH和SSH2两种。
对于私钥,PPK是putty程序用的,这种格式和其它格式的转换通过puttygen来做。puttygen只能import PEM格式的,但可以转换成openssh格式的。PEM和OpenSSH之间的转换通过ssh-keygen -p来做。
对于公钥,OpenSSH,SSH2,PEM之间通过ssh-keygen -e或-i来转换。 ~/.ssh/authorized_keys中存放的公钥是OpenSSH格式。OCI中API Signing Key使用PKCS8格式的公钥。如下:
$ ssh-keygen -f /tmp/key.pub -e -m PKCS8
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4qbA9YzAhibGhHqLR4+k
9hEthtZkGMNw95AzEkmZ22q6sVAm0+EOS4iNPNxZkX1Dn9rDztn0n9pBGzet1V6Y
ul7q2wpael/YUk7MM+qGvBNp87RoXmZ17B3BVPAlVPol1q3PV4iWSuHs1RrY2HmJ
I2T4yZKcjtHOManI32Hl2Czo6upswUlZVeQ5pwI2g/wFjjyUwaRaB5CiKN8GjjNp
TKwdOt89GcOfZbo54f9yu9L/FbISGMfFi8DVdMHnLPgtpCvmpJ3aa5BvligMEOB2
5KT+DN7Eu+Bsbl2w3tkhvsa11AHVX+ZAdqPG40NAG7JtJouEvLYS17pI1kOVAO1v
pwIDAQAB
-----END PUBLIC KEY-----
那天在客户处出现的问题就是因为Oracle公有云(OCI)生成的私钥和私钥都是OpenSSH格式的。所以私钥无法直接导入puttygen,需要先转换为PEM格式才可导入。
————————————————
原文链接:https://blog.csdn.net/stevensxiao/article/details/109381001
网友评论