Ssh is a secure and popular protocol for managing different types of IT devices like Linux systems, network devices, etc. What makes ssh secure is the encryption of network traffic. Network traffic is encrypted with different types of encryption algorithms. There is also user authentication done with encryption algorithms. These algorithms need keys to operate. Keys are generally produced with auxiliary tools. ssh-keygen is a defacto tool used by ssh and other applications to create different types of keys. In this tutorial, we will look at how it works.
Ssh是一种安全且流行的协议,用于管理各种类型的IT设备(例如Linux系统,网络设备等)。使ssh安全的是网络流量的加密。 使用不同类型的加密算法对网络流量进行加密。 还使用加密算法进行用户身份验证。 这些算法需要按键才能操作。 钥匙通常用辅助工具生产。 ssh-keygen是ssh和其他应用程序用来创建不同类型的密钥的实际工具。 在本教程中,我们将研究其工作原理。
公共密码学 (Public Cryptography)
We will look at some terms and concepts about public cryptography in this part. In public cryptography, there are two keys. These keys are called public and private. Public keys are known by others to create encrypted data. Private keys are only known by its owner. Data are encrypted by public keys by anyone but only the private key owner can decrypt the message. So keeping the private keys is important. ssh-keygen is used to create a different type of public-private keys.
我们将在本部分中介绍一些有关公共密码学的术语和概念。 在公共密码学中,有两个密钥。 这些密钥称为公用和专用。 其他人都知道公钥可以创建加密数据。 私钥仅由其所有者知道。 任何人都可以使用公共密钥对数据进行加密,但是只有私有密钥所有者才能解密该消息。 因此,保留私钥很重要。 ssh-keygen用于创建其他类型的公共-私有密钥。
配置文件 (Configuration Files)
There are some configurations files those used by ssh. We will look at the public-private keys related configuration files.
ssh使用了一些配置文件。 我们将查看与公钥-私钥相关的配置文件。
~/.ssh/identity.pub
contains the protocol version 1 RSA public key~/.ssh/identity.pub
包含协议版本1 RSA公钥~/.ssh/id_dsa c
ontains the protocol version 2 DSA authentication identity of the user.~/.ssh/id_dsa c
保留用户的协议版本2 DSA身份验证标识。~/.ssh/id_dsa.pub c
ontains the protocol version 2 DSA public key for authentication~/.ssh/id_dsa.pub c
包含用于身份验证的协议版本2 DSA公钥~/.ssh/id_rsa c
ontains the protocol version 2 RSA authentication identity of the user~/.ssh/id_rsa c
保留用户的协议版本2 RSA身份验证身份~/.ssh/id_rsa.pub c
ontains the protocol version 2 RSA public key for authentication~/.ssh/id_rsa.pub c
包含用于身份验证的协议版本2 RSA公钥
使用ssh-keygen生成密钥(Generate Keys with ssh-keygen)
Generating keys without any parameter is very easy. This will generate default values and options a key. This will take 3 steps just enter after issuing the sshkeygen
command.
生成没有任何参数的密钥非常容易。 这将生成默认值和选项键。 发出sshkeygen
命令后,只需输入3个步骤。
$ ssh-keygen
设置密钥文件名和路径 (Set Key File Name and Path)
Now we will specify the path key files to be saved. We do not enter a path if we want to use default path which is ~/.ssh/id_rsa
现在,我们将指定要保存的路径密钥文件。 如果要使用默认路径~/.ssh/id_rsa
则不输入路径
Enter file in which to save the key (/home/ismail/.ssh/id_rsa):
使用ssh-keygen加密专用SSH密钥 (Encrypt Private SSH Keys with ssh-keygen)
Now we will enter passphrase but we will not. Where our private key will
现在我们将输入密码,但不会。 我们的私钥将在哪里
Enter passphrase (empty for no passphrase):
Again do not enter passphrase
再次不要输入密码
Enter same passphrase again:
![Generate Keys](https://i-blog.csdnimg.cn/blog_migrate/645ca19430ee58e25044795005dee644.png)
使用ssh-keygen生成RSA密钥(Generate RSA Key with ssh-keygen)
In previous example we have generated ssh key with default settings. The default settings was like below.
在前面的示例中,我们使用默认设置生成了ssh密钥。 默认设置如下。
- RSA RSA
- 2048 bit 2048位
But we can specify the public key algorithm explicitly by using -t
option like below.
但是我们可以使用-t
选项显式指定公钥算法,如下所示。
$ ssh-keygen -t rsa
![Generate RSA Key](https://i-blog.csdnimg.cn/blog_migrate/21466b12e6412853183178b65d518bf9.png)
使用ssh-keygen生成DSA密钥(Generate DSA Key with ssh-keygen)
DSA is a less popular but useful public key algorithm. DSA keys can be generated by specifying key types with -t dsa
DSA是一种不太流行但有用的公钥算法。 可以通过使用-t dsa
指定密钥类型来生成DSA密钥
$ ssh-keygen -t dsa
设置ssh-keygen的密钥大小 (Set Key Size for ssh-keygen)
Keys have different size for different purposes. Bigger size means more security but brings more processing need which is a trade of. We can specify the size of the keys according to our needs with -s
option and the length of key. The size count specifies bits in a key. So following example will create 1024 bit key.
出于不同目的,密钥具有不同的大小。 更大的尺寸意味着更高的安全性,但带来了更多的处理需求,这是必须的。 我们可以根据需要使用-s
选项和密钥的长度来指定密钥的大小。 大小计数指定密钥中的位。 因此,以下示例将创建1024位密钥。
$ ssh-keygen -b 1024
![Set Key Size](https://i-blog.csdnimg.cn/blog_migrate/f32b64f51b7b13e7b61a1f6b869cac09.png)
使用ssh-keygen将密钥写入文件(Write Keys To File with ssh-keygen)
Created keys will be written to the ~/.ssh
with related name. This default behavior can be changed with -f
option and file with path. In this example we will write keys to the current users home directory.
创建的密钥将使用相关名称写入~/.ssh
。 可以使用-f
选项和带有路径的文件来更改此默认行为。 在此示例中,我们将密钥写入当前用户的主目录。
$ ssh-keygen -f ~/key
![Write Keys To File](https://i-blog.csdnimg.cn/blog_migrate/7ffaabac83c8d28fe05764204472c547.png)
As we can see the path is not asked to us because we have all ready provided explicitly.
如我们所见,没有要求我们提供路径,因为我们已经明确提供了所有准备好的路径。
使用ssh-keygen加密生成的密钥 (Encrypt Generated Keys with ssh-keygen)
Private keys must be protected. There are different ways to protect privates. We should use symmetric cryptography to crypt private key. ssh-key
all ready provide this feature. We will set a password to access the private key. In an interactive run, the passphrase is asked but we can also specify explicitly while calling the command with -N
option like below. We will provide passphrase in cleartext. This passphrase also saved in a bash history file which will create a security vulnerability. Keep these while using option based encryption of public keys.
私钥必须受到保护。 有多种保护私人的方式。 我们应该使用对称密码术来加密私钥。 ssh-key
都准备好提供此功能。 我们将设置密码以访问私钥。 在交互式运行中,会询问密码,但我们也可以在使用-N
选项调用命令时显式指定,如下所示。 我们将以明文形式提供密码。 该密码短语还保存在bash历史记录文件中,这将创建一个安全漏洞。 在使用基于选项的公用密钥加密时保留这些内容。
$ ssh-keygen -N Pp2013Pp -f ~/ke
![Encrypt Generated Keys](https://i-blog.csdnimg.cn/blog_migrate/c4bf8bea2e7a6330267ae91d2a8082da.png)
翻译自: https://www.poftut.com/how-to-generate-ssh-key-with-ssh-keygen-in-linux/