SSH-Keygen的使用

昨天大致整理了下关于ssh连接服务器的文档，当时遇到了关于密钥的问题，今天便整理了关于ssh-keygen的文档

这里说的ssh-keygen是指的openssh版本的ssh-keygen，不是Tectia ssh版本的ssh-keygen.

第 0 章 官方说明

第一章 what is ssh-keygen?

ssh-keygen是用于为SSH创建新的身份验证密钥对的工具。此类密钥对用于自动登录，单点登录和验证主机。目前广泛的用在linux服务验证、git身份验证上。

第二章 ssh-keygen的工作原理

执行ssh-keygen可以生成一个密钥对 ,这个密钥对称为公钥文件和私钥 文件 ,例如：

• 使用rsa算法： id_rsa(密钥),id_rsa.pub(公钥)
• 使用dsa算法：id_dsa(密钥),id_dsa.pub(公钥)

生成这个密钥之后我们就可以利用这个密钥对来加密解密了。目前比较常见的使用情景有:

• 网络数据传输

  公钥用来加密，私钥用来解密

  • 例如我们有AB连个客户端，都生成了密钥对(私钥,公钥):
    A: private_keyA(私钥) ---> public_keyA=hashX(private_keyA)(通过某种不可逆算法生成公钥public_keyA)
    B: private_keyB(私钥) ---> public_keyB=hashX(private_keyB)(通过某种不可逆算法生成公钥public_keyB)

  A,B都有彼此的公钥

  • A向B发送消息msgA:

    A --> msgA --> lock(public_keyB, msgA)(用B的公钥加密) --> msg*** --> transit --> msg*** --> unlock(private_keyB, msg***)(用B的私钥解密) -- > msgA --> B

  • B向A发送消息msgB:
    B --> msgB --> lock(public_keyA, msgB)(用A的公钥加密) --> msg*** --> transit --> msg*** --> unlock(private_keyA, msg***)(用A的私钥解密) -- > msgB --> A

• 个人签名认证(验证消息来源合法性)

  私钥用来加密，公钥用来解密

  • A --> msgA --> lock(private_keyA, msgA)(用A的私钥加密) --> msg*** --> transit --> msg*** --> unlock(public_keyA, msg***)(用A的公钥解密) -- > msgA --> SomeBody(如解密成功，则能确认消息来源为A)

第三章 使用ssh-keygen来生成密钥对

3.1 ssh-keygen的帮助文档摘要

martain@martaindeMacBook-Pro .ssh % ssh-keygen --help
ssh-keygen: illegal option -- -
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
                  [-N new_passphrase] [-C comment] [-f output_keyfile]
       ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
       ssh-keygen -i [-m key_format] [-f input_keyfile]
       ssh-keygen -e [-m key_format] [-f input_keyfile]
       ssh-keygen -y [-f input_keyfile]
       ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
       ssh-keygen -B [-f input_keyfile]
       ssh-keygen -D pkcs11
       ssh-keygen -F hostname [-f known_hosts_file] [-l]
       ssh-keygen -H [-f known_hosts_file]
       ssh-keygen -R hostname [-f known_hosts_file]
       ssh-keygen -r hostname [-f input_keyfile] [-g]
       ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
       ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
                  [-j start_line] [-K checkpt] [-W generator]
       ssh-keygen -s ca_key -I certificate_identity [-h] [-U]
                  [-D pkcs11_provider] [-n principals] [-O option]
                  [-V validity_interval] [-z serial_number] file ...
       ssh-keygen -L [-f input_keyfile]
       ssh-keygen -A
       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
                  file ...
       ssh-keygen -Q -f krl_file file ...

3.2 -t 选择加密算法

ssh-keygen目前支持三种加密算法:rsa,dsa,ecdsa，默认使用的是rsa，ssh-keygen程序是交互式的，如下实例：

• 使用默认算法生成密钥对

  martain@martaindeMacBook-Pro sshtemp % ssh-keygen    # 使用默认方式生成密钥对
  Generating public/private rsa key pair.
  Enter file in which to save the key (/Users/martain/.ssh/id_rsa): /Users/martain/sshtemp/id_rsa   # 输入秘钥的path(包含文件名)
  Enter passphrase (empty for no passphrase):  # 输入密钥的密码
  Enter same passphrase again:                                  #再次输入
  Your identification has been saved in /Users/martain/sshtemp/id_rsa.
  Your public key has been saved in /Users/martain/sshtemp/id_rsa.pub.
  The key fingerprint is:
  SHA256:Z3O0CQM76fOOtAT6oeI44EDpjXLt+xRmJZD/K7XYrUk martain@martaindeMacBook-Pro.local
  The key's randomart image is:
  +---[RSA 2048]----+
  |    ..  .        |
  |    ..   +       |
  |  .  .. = o .    |
  | o    .+ . + o   |
  |o o.  =.S + +    |
  |+o...+ oo= o     |
  |=. .. o+E+.      |
  |.o. .+o=+=.      |
  |.o..ooo.=..      |
  +----[SHA256]-----+
  martain@martaindeMacBook-Pro sshtemp % ls
  id_rsa        id_rsa.pub
  martain@martaindeMacBook-Pro sshtemp % 
  

• 指定算法生成密钥对(这里选择dsa)

  martain@martaindeMacBook-Pro sshtemp % ssh-keygen -t dsa  # 指定dsa算法生成密钥对
  Generating public/private dsa key pair.
  Enter file in which to save the key (/Users/martain/.ssh/id_dsa): /Users/martain/sshtemp/id_dsa         # 输入秘钥的path(包含文件名)
  Enter passphrase (empty for no passphrase):   # 输入密钥的密码
  Enter same passphrase again:                                  #再次输入
  Your identification has been saved in /Users/martain/sshtemp/id_dsa.
  Your public key has been saved in /Users/martain/sshtemp/id_dsa.pub.
  The key fingerprint is:
  SHA256:ltcQRdJMI15eRsMrcTrXqNKiy/26JvOQf9o82k6jqa8 martain@martaindeMacBook-Pro.local
  The key's randomart image is:
  +---[DSA 1024]----+
  |          +**o=  |
  |         . *++o. |
  |          o .+ + |
  |         . o+ + .|
  |        S ...=   |
  |       . oo o    |
  |        o. oo    |
  |       .++.Bo.   |
  |        EX%O*.   |
  +----[SHA256]-----+
  martain@martaindeMacBook-Pro sshtemp % ls
  id_dsa        id_dsa.pub  id_rsa      id_rsa.pub
  martain@martaindeMacBook-Pro sshtemp % 
  

第四章 密钥对在linux服务器上的使用

假设有两台机器，分别为client,server，现在client想要安全的连接server，可以这么做：

4.1 单向登录

• 登录server,在server上执行ssh-keygen,生成密钥id_rsa和公钥id_rsa.pub
• 将公钥id_rsa.pub下载复制到client的.ssh目录下
• 执行cat id_dsa.pub >> ~/.ssh/authorized_keys (将公钥写入authorized_keys中)
• 现在client想登录server就不需要密码了，直接ssh server-ip就可以了。

4.2 双向登录

要满足server可以连接client，只要在client上也执行上面的操作即可。

注意：要保证.ssh和authorized_keys都只有用户自己有写权限。否则验证无效。

chmod 600 authorized_keys

chmod 700 -R .ssh