526互联

ssh-keygen

发布时间 2023-04-11 14:36:37作者: 小吉猫

主机密钥

主机密钥通常在安装 SSH 服务器时自动生成。它们可以随时再生。

$ ls -l /etc/ssh/
total 548
-rw-r--r-- 1 root root 505426 Feb 26  2022 moduli
-rw-r--r-- 1 root root   1650 Feb 26  2022 ssh_config
drwxr-xr-x 2 root root   4096 Feb 26  2022 ssh_config.d
-rw------- 1 root root   1381 Apr  7 12:31 ssh_host_dsa_key
-rw-r--r-- 1 root root    607 Apr  7 12:31 ssh_host_dsa_key.pub
-rw------- 1 root root    513 Apr  7 12:31 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    179 Apr  7 12:31 ssh_host_ecdsa_key.pub
-rw------- 1 root root    411 Apr  7 12:31 ssh_host_ed25519_key
-rw-r--r-- 1 root root     99 Apr  7 12:31 ssh_host_ed25519_key.pub
-rw------- 1 root root   2602 Apr  7 12:31 ssh_host_rsa_key
-rw-r--r-- 1 root root    571 Apr  7 12:31 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root    342 Dec  8  2020 ssh_import_id
-rw-r--r-- 1 root root   3343 Apr  7 12:43 sshd_config
drwxr-xr-x 2 root root   4096 Mar 16 17:31 sshd_config.d

选择算法

SSH 支持多种用于身份验证密钥的公钥算法。这些包括:

  • dsa 
  • ecdsa
  • ecdsa-sk
  • ed25519 
  • ed25519-sk
  • rsa

命令和选项

-b “Bits” 此选项指定密钥中的位数。管理 SSH 用例的法规可能要求使用特定的密钥长度。通常,2048 位被认为足以用于 RSA 密钥。

-e “Export” 此选项允许在 OpenSSH 密钥文件格式和RFC 4716 “SSH 公钥文件格式”中记录的格式之间重新格式化现有密钥。

-p [-P old_passphrase] “Change the passphrase” 此选项允许使用和,更改私钥文件的密码[-N new_passphrase]。[-f keyfile]

-t “Type” 此选项指定要创建的密钥的类型。常用的值是: - RSA密钥的rsa - DSA密钥的dsa -椭圆曲线 DSA密钥的ecdsa

-i "Input" 当需要ssh-keygen访问现有密钥时,此选项指定文件。

-f "File" 指定要在其中存储创建的密钥的文件的名称。

-N "New" 为密钥提供新的密码。

-P "Passphrase" 在读取密钥时提供(旧)密码。

-c "Comment" 更改密钥文件的注释。

-p 更改私钥文件的密码。

-q 沉默 ssh-keygen。

-v 详细模式。

-l "Fingerprint" 打印指定公钥的指纹。

-B "Bubble babble" 显示密钥文件的“bubble babble”(Tectia 格式)指纹。

-F  在 known_hosts 文件中搜索指定的主机名。

-R  从 known_hosts 文件中删除属于主机名的所有密钥。

-y  读取私有 OpenSSH 格式文件并将 OpenSSH 公钥打印到标准输出。

生成密钥

rsa

$ ssh-keygen -t rsa -f .ssh/wgs_rsa -b 4096 -C "1304995320@qq.com"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/wgs_rsa
Your public key has been saved in .ssh/wgs_rsa.pub
The key fingerprint is:
SHA256:iwJv0jlCU9n5axrtLbxTxQ7QwTJ0p6gv2wp2tklmkcg 1304995320@qq.com
The key's randomart image is:
+---[RSA 4096]----+
|       ..oo..    |
|     o .+ooo     |
|    o o .+..     |
|   o . +  . o    |
|  + E + S  +     |
| . = . = o. .    |
|  o X X.*.       |
|   = X @+.       |
|      *.++.      |
+----[SHA256]-----+

dsa

$ ssh-keygen -t dsa -f .ssh/wgs_dsa  -C "1304995320@qq.com"
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/wgs_dsa
Your public key has been saved in .ssh/wgs_dsa.pub
The key fingerprint is:
SHA256:EOyAr/VMJkrorZ7HWX1gnhOy4TU+8FLufSqh4eU/bcQ 1304995320@qq.com
The key's randomart image is:
+---[DSA 1024]----+
|   . ..          |
|  . . ..         |
| . . o.          |
|. . +++O         |
|...+.*# S .      |
| .o. *o% . E     |
|  o + B * o      |
| ..+ o + o +     |
|.o.     oo=      |
+----[SHA256]-----+

ecdsa

$ ssh-keygen -t ecdsa -f .ssh/wgs_ecdsa -b 521 -C "1304995320@qq.com"
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/wgs_ecdsa
Your public key has been saved in .ssh/wgs_ecdsa.pub
The key fingerprint is:
SHA256:YZuu+9p1w0U09g3yvKW5o3ipnVtXO4iBba6hmUFdIx0 1304995320@qq.com
The key's randomart image is:
+---[ECDSA 521]---+
|           E. =  |
|          . .* +.|
|        o. +  + +|
|       ..+= .. = |
|       .So +  = .|
|      ..  o.o...o|
|       ....o+o+o.|
|       o=.o+o= o.|
|      +Bo.oo=.   |
+----[SHA256]-----+

ed25519

$ ssh-keygen -t ed25519 -f .ssh/wgs_ed25519 -C "1304995320@qq.com"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/wgs_ed25519
Your public key has been saved in .ssh/wgs_ed25519.pub
The key fingerprint is:
SHA256:BAB+mj3HLKUESR6blUhJFkxyMiqGvCIT/HS4ZviyLrM 1304995320@qq.com
The key's randomart image is:
+--[ED25519 256]--+
|+*%*oo.          |
|=O=*o  .         |
|=+=oo.. .        |
|o.=*o= .         |
|+oo== + S        |
|o.+  +           |
| . .             |
|o o              |
|E=               |
+----[SHA256]-----+

配置文件

# cat ~/.ssh/config
Host github.com
  Hostname github.com
  User git
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/wgs_dsa

Host gitlab.com
  Hostname gitlab.com
  User git
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/wgs_ecdsa

Host gitee.com
  Hostname gitee.com
  User git
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/wgs_ed25519

分发公钥

查看公钥

$ ls -l .ssh/
total 32
-rw------- 1 wgs wgs    0 Oct 12 18:11 authorized_keys
-rw------- 1 wgs wgs 1381 Apr 11 14:19 wgs_dsa
-rw-r--r-- 1 wgs wgs  607 Apr 11 14:19 wgs_dsa.pub
-rw------- 1 wgs wgs  736 Apr 11 14:22 wgs_ecdsa
-rw-r--r-- 1 wgs wgs  271 Apr 11 14:22 wgs_ecdsa.pub
-rw------- 1 wgs wgs  411 Apr 11 14:25 wgs_ed25519
-rw-r--r-- 1 wgs wgs   99 Apr 11 14:25 wgs_ed25519.pub
-rw------- 1 wgs wgs 3381 Apr 11 14:18 wgs_rsa
-rw-r--r-- 1 wgs wgs  743 Apr 11 14:18 wgs_rsa.pub

复制公钥

ssh-copy-id -i ~/.ssh/wgs_ed25519.pub user@host

参考文档

https://man.openbsd.org/ssh-keygen.1