美文网首页
各种格式SSH 公钥和私钥之间的转换

各种格式SSH 公钥和私钥之间的转换

作者: yandaren | 来源:发表于2021-07-22 10:57 被阅读0次

    前天给客户安装环境,没想到在生成SSH密钥上耽误很多时间。

    先从一个实验开始吧。

    先生成密钥对,公钥为/tmp/key.pub,私钥为/tmp/key。命令行选项中 -t表示key type,-b表示key的bit数,在puttygen中也是使用这样的组合,即RSA, 2048。

    $ ssh-keygen -t rsa -N "" -b 2048  -f /tmp/key
    Generating public/private rsa key pair.
    Your identification has been saved in /tmp/key.
    Your public key has been saved in /tmp/key.pub.
    The key fingerprint is:
    SHA256:tEKCPeGEeACopFxSLc0gp2qRgcJlbd7nI85PQqKxZWg vagrant@ol7-vagrant
    The key's randomart image is:
    +---[RSA 2048]----+
    |B=oBO            |
    |=+XB B           |
    |*=+ O o .        |
    |+.. .= o o       |
    |.. E +..S        |
    |. . * oo o       |
    |   o  o....      |
    |       oo        |
    |        ..       |
    +----[SHA256]-----+
    

    这里产生的私钥默认是兼容性更好的PEM格式。如果加-o选项,则生成的是OpenSSH格式的私钥。

    $ file /tmp/key
    /tmp/key: PEM RSA private key
    $ cat /tmp/key
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEA9wAa7Z+rNh6hqbL0CFfC4zwjSoRn5Pos8fcP2AuuyjdSLZS6
    I9Sd6KpE9iWeYrRDgNnEwCCCg5g+UmaPo1r7bzkfaCivmFslqj0nT7KxQo7sinSV
    Ir20awwAHsI0hfdKJVs+stpLaXWtsvb9jTSBNgKGJ8RWVGVQUZgfLZU4bTb6J8PU
    n8S6r6AUkWpbhhEF0pMQYrJir3CV0B0yYpNbKZGRLbRxmeBG5s8tgitiWOUcUCty
    JJgY7r5mWAiO2NSNtTz9ZeZcUA7P+eZqreCR8OvWooZ3LcahdiVJg1tnkxv7KNrB
    biDOgfOzjKwMu7zUQDw+J8kjpKMfwf4c4SiyOQIDAQABAoIBAQDhkCYHRN3s0XJe
    776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31b4tBpk9S9wwXTFkD5d9c
    Dq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6ZKE8g3CDJFpeea32ctEvI
    +Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tNumvoRFOtyJ5oVnyCeHru
    vWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+ZubYwxT5cUY573KxO70hy
    ClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePyO3PAU42HhXYv6qRubazO
    Ddm6AnwRAoGBAPyo8y8ELwCIujAgifNeMcSCpHkDv9DkOPk2E6l/lR+3qrZLmOQs
    bywsfLDvgpRzAUIlKzWRaHp2f2+071MX2ChQvh/JxbIHIEnwJXjd/1hzF8oCmOWF
    LVVmR06NjwA6IqwWVCZZ7OEUVtu/iTNLf0n6efhTtrKjrnEQl7BhMP8VAoGBAPpE
    AJMIL+eEuqdQXXEoI/wxV8J6oavNAD9IyTgZHau4DiDp6RaByIVlDZWmpDfCU7xA
    7d3uJfwFLhNsAzEx8UYwyTrKu9u0J+ZA1cWePBwH2eF5FEM+1H0ZunqsRvADsnhd
    fyloKr6m+1LczGKsFsL06luaatH6IgFLrPoKag+VAoGAYODDRi7bet/yTEvduWRP
    vuK8/+3RGd64fc4fYemam2vIWFfKSwtCoXR5ZzqfHh6ux9cKp2KW5gYTvRhqf7jv
    2B2FmRi75hRXbCJZq+urYhXXdEzkpXUYOdua0eLzhwnDi6qQH5hxfKhY2a+qgvGa
    4BnbtL0cm4ipdY8AKtBJgjUCgYEAxFtuh+44h9IgEP6BEjOIaGrejHxjNMSXmQ+m
    sRkjqoOysihU9Y/GoML0saIZ3pXd1SqsdyBPNTlrOVnZ91NUFtpYSISgeHUViRb9
    oxvP1b5jOQEi4M//MFhrc6yPy+lasg3Jo9dTEls5fX437oNPKI+5AT5a6Xz0CUgy
    48wgAzECgYAn15ctkpAhZVNhx+pgkJmsCd7kNAZaPNuWWrejemlzypEy7aN7KVlT
    gfF1/tJOgu6PVKVAVfvDT1ipVV36hTHkFDeWjP0vfZ+CN+ym8DcHE8XwPuCy4bhY
    bLjCLvyEMpUI6/cJ6a4jCXAI1bweHcV0UpBIS1n65/eSGD0JGy3Esg==
    -----END RSA PRIVATE KEY-----
    
    $ file /tmp/key.pub
    /tmp/key.pub: OpenSSH RSA public key
    $ cat /tmp/key.pub
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5 vagrant@ol7-vagrant
    

    这里生成的PEM RSA格式的私钥,可以import到puttygen中生成putty使用的PPK格式的私钥,如下:

    PuTTY-User-Key-File-2: ssh-rsa
    Encryption: none
    Comment: imported-openssh-key
    Public-Lines: 6
    AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx
    9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWq
    PSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBR
    mB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebm
    zy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2
    JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5
    Private-Lines: 14
    AAABAQDhkCYHRN3s0XJe776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31
    b4tBpk9S9wwXTFkD5d9cDq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6Z
    KE8g3CDJFpeea32ctEvI+Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tN
    umvoRFOtyJ5oVnyCeHruvWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+Z
    ubYwxT5cUY573KxO70hyClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePy
    O3PAU42HhXYv6qRubazODdm6AnwRAAAAgQD8qPMvBC8AiLowIInzXjHEgqR5A7/Q
    5Dj5NhOpf5Uft6q2S5jkLG8sLHyw74KUcwFCJSs1kWh6dn9vtO9TF9goUL4fycWy
    ByBJ8CV43f9YcxfKApjlhS1VZkdOjY8AOiKsFlQmWezhFFbbv4kzS39J+nn4U7ay
    o65xEJewYTD/FQAAAIEA+kQAkwgv54S6p1BdcSgj/DFXwnqhq80AP0jJOBkdq7gO
    IOnpFoHIhWUNlaakN8JTvEDt3e4l/AUuE2wDMTHxRjDJOsq727Qn5kDVxZ48HAfZ
    4XkUQz7UfRm6eqxG8AOyeF1/KWgqvqb7UtzMYqwWwvTqW5pq0foiAUus+gpqD5UA
    AACAJ9eXLZKQIWVTYcfqYJCZrAne5DQGWjzbllq3o3ppc8qRMu2jeylZU4Hxdf7S
    ToLuj1SlQFX7w09YqVVd+oUx5BQ3loz9L32fgjfspvA3BxPF8D7gsuG4WGy4wi78
    hDKVCOv3CemuIwlwCNW8Hh3FdFKQSEtZ+uf3khg9CRstxLI=
    Private-MAC: dfd25e12c37694bbf51cdcd0dd71c8f77c0ae63d
    

    顺带说一下,PEM表示Privacy Enhanced Mail,PPK表示PuTTY Private Key。这两种都是私钥格式。PEM实际上是一种特定的BASE64编码。参见这里

    将OpenSSH格式公钥转换为SSH2格式,即RFC 4716格式:

    $ ssh-keygen -e -f /tmp/key
    ---- BEGIN SSH2 PUBLIC KEY ----
    Comment: "2048-bit RSA, converted by vagrant@ol7-vagrant from OpenSSH"
    AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC6
    7KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyK
    dJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxL
    qvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZY
    CI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vN
    RAPD4nySOkox/B/hzhKLI5
    ---- END SSH2 PUBLIC KEY ----
    

    将SSH2 格式公钥转换为PEM:

    $ ssh-keygen -e -f /tmp/key > key.ssh2
    $ ssh-keygen -i -f key.ssh2 > key.pem
    $ cat key.pem
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5
    
    $ file key.pem
    key.pem: OpenSSH RSA public key
    

    将OpenSSH格式公钥转换为PEM格式:

    $ ssh-keygen -f /tmp/key.pub -e -m pem
    

    私钥除了PEM格式,还有一个OpenSSH格式。如文档描述:

    -m key_format
                 Specify a key format for key generation, the -i (import), -e
                 (export) conversion options, and the -p change passphrase oper‐
                 ation.  The latter may be used to convert between OpenSSH pri‐
                 vate key and PEM private key formats.  The supported key for‐
                 mats are: “RFC4716” (RFC 4716/SSH2 public or private key),
                 “PKCS8” (PKCS8 public or private key) or “PEM” (PEM public
                 key).  By default OpenSSH will write newly-generated private
                 keys in its own format, but when converting public keys for
                 export the default format is “RFC4716”.  Setting a format of
                 “PEM” when generating or updating a supported private key type
                 will cause the key to be stored in the legacy PEM private key
                 format.
    

    使用-p选项可以将PEM和OpenSSH格式互相转换。

    # 从OpenSSH到PEM
    ssh-keygen -p -N "" -m pem -f /path/to/key
    # 从PEM到OpenSSH
    ssh-keygen -p -N ""  -f /path/to/key
    

    总结一下,私钥的格式有PEM, OpenSSH和PPK 3种。公钥的格式有OpenSSH和SSH2两种。

    对于私钥,PPK是putty程序用的,这种格式和其它格式的转换通过puttygen来做。puttygen只能import PEM格式的,但可以转换成openssh格式的。PEM和OpenSSH之间的转换通过ssh-keygen -p来做。

    对于公钥,OpenSSH,SSH2,PEM之间通过ssh-keygen -e或-i来转换。 ~/.ssh/authorized_keys中存放的公钥是OpenSSH格式。OCI中API Signing Key使用PKCS8格式的公钥。如下:

    $ ssh-keygen -f /tmp/key.pub -e -m PKCS8
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4qbA9YzAhibGhHqLR4+k
    9hEthtZkGMNw95AzEkmZ22q6sVAm0+EOS4iNPNxZkX1Dn9rDztn0n9pBGzet1V6Y
    ul7q2wpael/YUk7MM+qGvBNp87RoXmZ17B3BVPAlVPol1q3PV4iWSuHs1RrY2HmJ
    I2T4yZKcjtHOManI32Hl2Czo6upswUlZVeQ5pwI2g/wFjjyUwaRaB5CiKN8GjjNp
    TKwdOt89GcOfZbo54f9yu9L/FbISGMfFi8DVdMHnLPgtpCvmpJ3aa5BvligMEOB2
    5KT+DN7Eu+Bsbl2w3tkhvsa11AHVX+ZAdqPG40NAG7JtJouEvLYS17pI1kOVAO1v
    pwIDAQAB
    -----END PUBLIC KEY-----
    
    

    那天在客户处出现的问题就是因为Oracle公有云(OCI)生成的私钥和私钥都是OpenSSH格式的。所以私钥无法直接导入puttygen,需要先转换为PEM格式才可导入。
    ————————————————

    原文链接:https://blog.csdn.net/stevensxiao/article/details/109381001

    相关文章

      网友评论

          本文标题:各种格式SSH 公钥和私钥之间的转换

          本文链接:https://www.haomeiwen.com/subject/oayemltx.html