SSH-Keygen的使用
昨天大致整理了下关于ssh连接服务器的文档,当时遇到了关于密钥的问题,今天便整理了关于ssh-keygen的文档
这里说的ssh-keygen是指的openssh版本的ssh-keygen,不是Tectia ssh版本的ssh-keygen.
第 0 章 官方说明
第一章 what is ssh-keygen?
ssh-keygen是用于为SSH创建新的身份验证密钥对的工具。此类密钥对用于自动登录,单点登录和验证主机。目前广泛的用在linux服务验证、git身份验证上。
第二章 ssh-keygen的工作原理
执行ssh-keygen可以生成一个密钥对 ,这个密钥对称为公钥文件和私钥 文件 ,例如:
- 使用rsa算法: id_rsa(密钥),id_rsa.pub(公钥)
- 使用dsa算法:id_dsa(密钥),id_dsa.pub(公钥)
生成这个密钥之后我们就可以利用这个密钥对来加密解密了。目前比较常见的使用情景有:
-
网络数据传输
公钥用来加密,私钥用来解密
- 例如我们有AB连个客户端,都生成了密钥对(私钥,公钥):
A: private_keyA(私钥) ---> public_keyA=hashX(private_keyA)(通过某种不可逆算法生成公钥public_keyA)
B: private_keyB(私钥) ---> public_keyB=hashX(private_keyB)(通过某种不可逆算法生成公钥public_keyB)
A,B都有彼此的公钥
-
A向B发送消息msgA:
A --> msgA --> lock(public_keyB, msgA)(用B的公钥加密) --> msg*** --> transit --> msg*** --> unlock(private_keyB, msg***)(用B的私钥解密) -- > msgA --> B
-
B向A发送消息msgB:
B --> msgB --> lock(public_keyA, msgB)(用A的公钥加密) --> msg*** --> transit --> msg*** --> unlock(private_keyA, msg***)(用A的私钥解密) -- > msgB --> A
- 例如我们有AB连个客户端,都生成了密钥对(私钥,公钥):
-
个人签名认证(验证消息来源合法性)
私钥用来加密,公钥用来解密
- A --> msgA --> lock(private_keyA, msgA)(用A的私钥加密) --> msg*** --> transit --> msg*** --> unlock(public_keyA, msg***)(用A的公钥解密) -- > msgA --> SomeBody(如解密成功,则能确认消息来源为A)
第三章 使用ssh-keygen来生成密钥对
3.1 ssh-keygen的帮助文档摘要
martain@martaindeMacBook-Pro .ssh % ssh-keygen --help
ssh-keygen: illegal option -- -
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
[-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-m key_format] [-f input_keyfile]
ssh-keygen -e [-m key_format] [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-f known_hosts_file] [-l]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
[-j start_line] [-K checkpt] [-W generator]
ssh-keygen -s ca_key -I certificate_identity [-h] [-U]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q -f krl_file file ...
3.2 -t 选择加密算法
ssh-keygen目前支持三种加密算法:rsa,dsa,ecdsa,默认使用的是rsa,ssh-keygen程序是交互式的,如下实例:
-
使用默认算法生成密钥对
martain@martaindeMacBook-Pro sshtemp % ssh-keygen # 使用默认方式生成密钥对 Generating public/private rsa key pair. Enter file in which to save the key (/Users/martain/.ssh/id_rsa): /Users/martain/sshtemp/id_rsa # 输入秘钥的path(包含文件名) Enter passphrase (empty for no passphrase): # 输入密钥的密码 Enter same passphrase again: #再次输入 Your identification has been saved in /Users/martain/sshtemp/id_rsa. Your public key has been saved in /Users/martain/sshtemp/id_rsa.pub. The key fingerprint is: SHA256:Z3O0CQM76fOOtAT6oeI44EDpjXLt+xRmJZD/K7XYrUk martain@martaindeMacBook-Pro.local The key's randomart image is: +---[RSA 2048]----+ | .. . | | .. + | | . .. = o . | | o .+ . + o | |o o. =.S + + | |+o...+ oo= o | |=. .. o+E+. | |.o. .+o=+=. | |.o..ooo.=.. | +----[SHA256]-----+ martain@martaindeMacBook-Pro sshtemp % ls id_rsa id_rsa.pub martain@martaindeMacBook-Pro sshtemp % -
指定算法生成密钥对(这里选择dsa)
martain@martaindeMacBook-Pro sshtemp % ssh-keygen -t dsa # 指定dsa算法生成密钥对 Generating public/private dsa key pair. Enter file in which to save the key (/Users/martain/.ssh/id_dsa): /Users/martain/sshtemp/id_dsa # 输入秘钥的path(包含文件名) Enter passphrase (empty for no passphrase): # 输入密钥的密码 Enter same passphrase again: #再次输入 Your identification has been saved in /Users/martain/sshtemp/id_dsa. Your public key has been saved in /Users/martain/sshtemp/id_dsa.pub. The key fingerprint is: SHA256:ltcQRdJMI15eRsMrcTrXqNKiy/26JvOQf9o82k6jqa8 martain@martaindeMacBook-Pro.local The key's randomart image is: +---[DSA 1024]----+ | +**o= | | . *++o. | | o .+ + | | . o+ + .| | S ...= | | . oo o | | o. oo | | .++.Bo. | | EX%O*. | +----[SHA256]-----+ martain@martaindeMacBook-Pro sshtemp % ls id_dsa id_dsa.pub id_rsa id_rsa.pub martain@martaindeMacBook-Pro sshtemp %
第四章 密钥对在linux服务器上的使用
假设有两台机器,分别为client,server,现在client想要安全的连接server,可以这么做:
4.1 单向登录
- 登录server,在server上执行ssh-keygen,生成密钥id_rsa和公钥id_rsa.pub
- 将公钥id_rsa.pub下载复制到client的.ssh目录下
- 执行cat id_dsa.pub >> ~/.ssh/authorized_keys (将公钥写入authorized_keys中)
- 现在client想登录server就不需要密码了,直接ssh server-ip就可以了。
4.2 双向登录
要满足server可以连接client,只要在client上也执行上面的操作即可。
注意:要保证.ssh和authorized_keys都只有用户自己有写权限。否则验证无效。
chmod 600 authorized_keys
chmod 700 -R .ssh
网友评论