用途

生成ssh加密算法需要使用到的秘鑰以及管理和轉換

用法

     ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
     ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
     ssh-keygen -i [-f input_keyfile]
     ssh-keygen -e [-f input_keyfile]
     ssh-keygen -y [-f input_keyfile]
     ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
     ssh-keygen -l [-f input_keyfile]
     ssh-keygen -B [-f input_keyfile]
     ssh-keygen -D pkcs11
     ssh-keygen -F hostname [-f known_hosts_file] [-l]
     ssh-keygen -H [-f known_hosts_file]
     ssh-keygen -R hostname [-f known_hosts_file]
     ssh-keygen -r hostname [-f input_keyfile] [-g]
     ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
     ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W generator]
     ssh-keygen [-n] [-D smartcard]
     ssh-keygen -s ca_key -I certificate_identity [-h] [-Z principals] [-O option] [-V validity_interval]
                [-z serial_number] file ...
     ssh-keygen -L [-f input_keyfile]
 

常用選項

-B
顯示秘鑰文件的bubblebabble摘要

-b bits
秘鑰長度，長度越長，加密越安全，默認是2048個比特

-C comment
設置註釋

-c
請求修改備註，只支持RSA1算法的秘鑰文件，如果文件設置了密碼，會提示輸入密碼

-D pkcs11
下載存儲在pkcs11的RSA公鑰

-e
讀取OpenSSH公鑰文件內容，轉換成RFC 4716 SSH Public Key File Format格式，然後輸出到stdout

-F hostname
從known_hosts文件查找hostname，沒有指定文件，默認查找~/.ssh/known_hosts。只能查找域名，ip查詢不了。

-f filename
指定秘鑰文件完整路徑

-G output_file
(Generate candidate primes for DH-GEX. These primes must be screened for safety (using the -T option) before use.)

-g
(Use generic DNS format when printing fingerprint resource records using the -r command.)

-H
(Hash a known_hosts file. This replaces all hostnames and addresses with hashed representations within the specified file; the original content is moved to a file with a .old suffix. These hashes may be used normally by ssh and sshd, but they do not reveal identifying information should the file’s contents be disclosed. This option will not modify existing hashed hostnames and is therefore safe to use on files that mix hashed and non-hashed names.)

-h
(When signing a key, create a host certificate instead of a user certificate.)

-I
(Specify the key identity when signing a public key.)

-i
(This option will read an unencrypted private (or public) key file in SSH2-compatible format and print an OpenSSH compatible private (or public) key to stdout.)

-L
輸出證書的內容

-l
顯示公鑰指紋

-M memory
(Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX.)

-n
(Extract the public key from smartcard.)

-N new_passphrase
設置文件密碼

-P passphrase
(Provides the (old) passphrase.)

-p
請求修改文件密碼

-q
安靜模式

-R hostname
(Removes all keys belonging to hostname from a known_hosts file.)

-r hostname
(Print the SSHFP fingerprint resource record named hostname for the specified public key file.)

-s ca_key
(Certify (sign) a public key using the specified CA key.)

-t type
設置創建的秘鑰類型.
(The possible values are “rsa1” for protocol version 1 and “dsa”, “ecdsa” or “rsa” for protocol version 2.)

-v
調試模式

-y
(This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.)

實踐

1 提取符合標準格式的公鑰

[root@vm ssh]# ssh-keygen -e -f ssh_host_rsa_key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by root@vm"
AAAAB3NzaC1yc2EAAAABIwAAAQEAvF/iYFaWAMBMdAA4888pq1uxL34ptaEci/H0aG21eW
eloNtM/QPx8DiSTOcF7rT/i0BLMBAzNKdSZOZHBdG8Apf5VWsfNyKQ6a5qEfV26lr6CKg8
zPgdLoA8bQYarjN+LKrYWT9xteafVw9TLAtQAAdZFePkUkIKBMVhn48kM95HHOF6hcua99
TcJ0AyvcFof+ebLyGznXKxrf2sliAHwaCWwO7rHhuIRJvCyDmrzh4NffozRqVfJEm2c90H
3397Nd6seCOHOUVNRz2l69hfYWOPuuvlS2aQicbU9touw5f4ZvDTFxpyn2ZvqGaZzvBril
/QF/qbEsKYsCVCWaUYMQ==
---- END SSH2 PUBLIC KEY ----

2 查找github.com主機key信息

[root@vm ssh]# ssh-keygen -H -F github.com
# Host github.com found: line 5 type RSA
|1|+31fGJzfnYKj7Mzk9ncYS2pZ7sI=|C0orBfR1oH2VQ9ij2gRz9QBOAyk= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg733www+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

3 顯示公鑰指紋

[root@vm ssh]# ssh-keygen -l -f ./ssh_host_rsa_key.pub
2048 90:05:de:31:8c:ff:ba:5a:2b:b3:80:b5:61:68:52:52 ./ssh_host_rsa_key.pub (RSA)

4 生成rsa公私鑰

[root@vm ~]# ssh-keygen -v -b 2048  -t rsa -C "rsa key file ,just a test" -f ./test_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./test_key.
Your public key has been saved in ./test_key.pub.
The key fingerprint is:
f0:66:15:6d:cd:cb:e7:d2:b9:ce:b5:dc:44:ff:97:f0 rsa key file ,just a test
The key's randomart image is:
+--[ RSA 2048]----+
|          .. o   |
|           .o o  |
|      .   .. . . |
|       o .    o .|
|        S      +o|
|       o     ..o+|
|              o.*|
|              oE*|
|              .=+|
+-----------------+

參考資料

【1】man ssh-keygen

N天學習一個linux命令之ssh-keygen