用途
生成ssh加密算法需要使用到的秘钥以及管理和转换
用法
ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-f known_hosts_file] [-l]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W generator]
ssh-keygen [-n] [-D smartcard]
ssh-keygen -s ca_key -I certificate_identity [-h] [-Z principals] [-O option] [-V validity_interval]
[-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
常用选项
-B
显示秘钥文件的bubblebabble摘要
-b bits
秘钥长度,长度越长,加密越安全,默认是2048个比特
-C comment
设置注释
-c
请求修改备注,只支持RSA1算法的秘钥文件,如果文件设置了密码,会提示输入密码
-D pkcs11
下载存储在pkcs11的RSA公钥
-e
读取OpenSSH公钥文件内容,转换成RFC 4716 SSH Public Key File Format格式,然后输出到stdout
-F hostname
从known_hosts文件查找hostname,没有指定文件,默认查找~/.ssh/known_hosts。只能查找域名,ip查询不了。
-f filename
指定秘钥文件完整路径
-G output_file
(Generate candidate primes for DH-GEX. These primes must be screened for safety (using the -T option) before use.)
-g
(Use generic DNS format when printing fingerprint resource records using the -r command.)
-H
(Hash a known_hosts file. This replaces all hostnames and addresses with hashed representations within the specified file; the original content is moved to a file with a .old suffix. These hashes may be used normally by ssh and sshd, but they do not reveal identifying information should the file’s contents be disclosed. This option will not modify existing hashed hostnames and is therefore safe to use on files that mix hashed and non-hashed names.)
-h
(When signing a key, create a host certificate instead of a user certificate.)
-I
(Specify the key identity when signing a public key.)
-i
(This option will read an unencrypted private (or public) key file in SSH2-compatible format and print an OpenSSH compatible private (or public) key to stdout.)
-L
输出证书的内容
-l
显示公钥指纹
-M memory
(Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX.)
-n
(Extract the public key from smartcard.)
-N new_passphrase
设置文件密码
-P passphrase
(Provides the (old) passphrase.)
-p
请求修改文件密码
-q
安静模式
-R hostname
(Removes all keys belonging to hostname from a known_hosts file.)
-r hostname
(Print the SSHFP fingerprint resource record named hostname for the specified public key file.)
-s ca_key
(Certify (sign) a public key using the specified CA key.)
-t type
设置创建的秘钥类型.
(The possible values are “rsa1” for protocol version 1 and “dsa”, “ecdsa” or “rsa” for protocol version 2.)
-v
调试模式
-y
(This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.)
实践
1 提取符合标准格式的公钥
[root@vm ssh]# ssh-keygen -e -f ssh_host_rsa_key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by root@vm"
AAAAB3NzaC1yc2EAAAABIwAAAQEAvF/iYFaWAMBMdAA4888pq1uxL34ptaEci/H0aG21eW
eloNtM/QPx8DiSTOcF7rT/i0BLMBAzNKdSZOZHBdG8Apf5VWsfNyKQ6a5qEfV26lr6CKg8
zPgdLoA8bQYarjN+LKrYWT9xteafVw9TLAtQAAdZFePkUkIKBMVhn48kM95HHOF6hcua99
TcJ0AyvcFof+ebLyGznXKxrf2sliAHwaCWwO7rHhuIRJvCyDmrzh4NffozRqVfJEm2c90H
3397Nd6seCOHOUVNRz2l69hfYWOPuuvlS2aQicbU9touw5f4ZvDTFxpyn2ZvqGaZzvBril
/QF/qbEsKYsCVCWaUYMQ==
---- END SSH2 PUBLIC KEY ----
2 查找github.com主机key信息
[root@vm ssh]# ssh-keygen -H -F github.com
# Host github.com found: line 5 type RSA
|1|+31fGJzfnYKj7Mzk9ncYS2pZ7sI=|C0orBfR1oH2VQ9ij2gRz9QBOAyk= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg733www+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
3 显示公钥指纹
[root@vm ssh]# ssh-keygen -l -f ./ssh_host_rsa_key.pub
2048 90:05:de:31:8c:ff:ba:5a:2b:b3:80:b5:61:68:52:52 ./ssh_host_rsa_key.pub (RSA)
4 生成rsa公私钥
[root@vm ~]# ssh-keygen -v -b 2048 -t rsa -C "rsa key file ,just a test" -f ./test_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./test_key.
Your public key has been saved in ./test_key.pub.
The key fingerprint is:
f0:66:15:6d:cd:cb:e7:d2:b9:ce:b5:dc:44:ff:97:f0 rsa key file ,just a test
The key's randomart image is:
+--[ RSA 2048]----+
| .. o |
| .o o |
| . .. . . |
| o . o .|
| S +o|
| o ..o+|
| o.*|
| oE*|
| .=+|
+-----------------+
参考资料
【1】man ssh-keygen