OSX: SSH密钥使用日记(2)

准备钥匙和锁(密钥对)：

$ pwd
/Users/test
$ ssh-keygen -t dsa -C "$(whoami)@$(hostname),$(date '+%F %T')" -f ./ssh/my_dsa_sshkey

参数：

-t: 支持的格式是rsa1, rsa, dsa和ecdsa. OSX 10.8之前的不支持ecdsa.

-f : 用于设定密钥的加密方式，合法的有rsa, dsa和ecdsa

-b: 设定密钥长度, rsa是768到2048之间的数值； dsa只能是1024；ecdsa只能是256, 384 or 521中的一个。

-N: 这就是设置密语暗号(passphrass)，这个的用途是，一旦你的那把钥匙丢了，别人没有你的暗语，也无法使用。

-q: 如果不想看它的提示信息，就加上这个静默选项。

-f: 保存的文件名。

-C: 可以设置一个注释.

$ ssh-keygen -A

如果求简单，就是用这一句，自动为每一个加密方式(rsa1, rsa, dsa and ecdsa)，在默认位置(.ssh/)生成默认密钥对文件(identity, id_rsa, id_dsa, id_ecdsa)

查看生成的ssh密钥对：

# display public key-钥匙
$ ssh-keygen -e -f .ssh/my_dsa_sshkey
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted by toliu@W430-275.local from OpenSSH"
AAAAB3NzaC1kc3MAAACBAP448yfy/RPzS4vJmVUdAgbhTT7+wAcPVgQM9phZRlVET6S+iy
6IK7w9gVZUYmNsWKCII=
---- END SSH2 PUBLIC KEY ----
#display private key－锁
$ ssh-keygen -y -f .ssh/my_dsa_sshkey
sh-dss AAAAB3NzaC1kc3MAAACBAP448yfy/RPzS4vJmVUdAgbhTT7+wAcPVgQM9phZRlVET6S+iy6IK7w9gVZUYmNsWKCIIVp3Tp35WBdBWzwBlBIKad73oDmskHXzKdhpqBqlTOBXnb5bEShR1GXv41isiDg/uhWjr3yPQQBqQuZtqeGnIgyDsaDCElbH9RzQXQLdAAAAFQCd8b6azLV+cIBHUlhx96s0THzxJwAAAIAXkuFTxQ6Weax8nQA6UGbPUOV1yVpLa6Js/wBZdTzgWJpvtMoVSE/F+5dkzHWYdPh9x1HKCw310GVsvIdmZeh=

其实直接用cat来看私有和共有密钥：

# it will not show a passphrased private key itself. 有暗号的钥匙不会显示钥匙原貌
# if private key without passphras, it will show the private key itself.
$ cat .ssh/my_dsa_sshkey
----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5549710C5D9791C4020C7A0FFAA00306

HpvJCObP/tsGpmlBphXc1Kw6DzkZc6KDcEbrvQeB9Q5vsuz9DQvIPaWwKOBomWWN
eDZHfVS9CVFkrRW+2mvXaw7uHgMMjQNdKnAdnV5voi5ePjwFF9OMpvS7u9+0zoWO
9fJYX/QB2LS9ijpXf5g4nVN5/6ZrEZ5Z/xeVVAzqn4irH6U7x3qd+RFb8nLf+pRU
4wIoa05eqYLE7BHP7uqe9==
-----END DSA PRIVATE KEY-----
# show the public key itself－锁
$ cat .ssh/my_dsa_sshkey.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted by toliu@W430-275.local from OpenSSH"
AAAAB3NzaC1kc3MAAACBAP448yfy/RPzS4vJmVUdAgbhTT7+wAcPVgQM9phZRlVET6S+iy
6IK7w9gVZUYmNsWKCII=
---- END SSH2 PUBLIC KEY ----

10.8系统的变更-Ref (1)：

$ cat /etc/sshd_config | grep "authorized_keys"
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

在10.6上面现实的是

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

Ref:

(1): Error: “Permission denied > (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive)” on Mountain Lion Mountain Lion (10.8)

(2): SSH Keys (简体中文) －En

(3): man ssh; man ssh-keygen

(4): LBackup Network Backup Information

(5): Keychain