好吧,使用ssh-keygen创建一个ssh对很容易,但是如何用ssh-keygen生成一个允许我使用AES-256-CBC的ssh对?
默认的一个总是AES-128-CBC,我尝试过不同的参数,但它们不起作用:
ssh-keygen -b 4096 -t rsa -Z aes-256-cbc
但他们没有工作,任何想法如何这样做?
解决方法:
使用ssh-keygen时,不会生成aes使用的密钥.由于aes是symmetric cipher,因此其键不成对出现.通信的两端使用相同的密钥.
ssh-keygen生成的密钥使用public key cryptography进行身份验证.从ssh-keygen手册:
ssh-keygen generates, manages and converts authentication keys for
ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
and DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
从ssh手册:
Public key authentication works as follows: The scheme is based on
public-key cryptography, using cryptosystems where encryption and
decryption are done using separate keys, and it is unfeasible to derive
the decryption key from the encryption key. The idea is that each user
creates a public/private key pair for authentication purposes. The
server knows the public key, and only the user knows the private key.
ssh implements public key authentication protocol automatically, using
one of the DSA, ECDSA, Ed25519 or RSA algorithms.
公钥加密的问题在于它很慢.对称密钥加密速度更快,并且由ssh用于实际数据传输.用于对称加密的密钥是在建立连接后动态生成的(引自sshd手册):
For protocol 2, forward security is provided through a Diffie-Hellman key
agreement. This key agreement results in a shared session key. The rest
of the session is encrypted using a symmetric cipher, currently 128-bit
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
client selects the encryption algorithm to use from those offered by the
server. Additionally, session integrity is provided through a
cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512).
如果你想使用aes256-cbc,你需要在命令行中使用-c选项指定它,在最基本的形式中,它看起来像这样:
$ssh -c aes256-cbc user@host
您还可以使用逗号分隔列表在ssh_config中指定首选的密码选择.但是,不建议修改默认值,因为这最好留给专家. OpenSSH开发人员在选择默认值时有很多考虑因素和多年的经验.
标签:linux,debian,ssh
来源: https://codeday.me/bug/20190810/1641341.html