SSL基础:4:使用openssl生成ssh的非对称密钥对
使用ssh的时候,如果使用密钥方式,一般会使用openssh提供的ssh-keygen命令来生成RSA或者其他算法的非对称密钥对。而使用OpenSSL提供的openssl命令也可以做到这些,这篇文章以使用openssl生成符合ssh连接的密钥对的示例对相关内容进行解释和说明。
ssh-keygen VS openssl
使用ssh-keygen可以生成RSA、RSA1、DSA、ECDSA、ED25519等方式的密钥对。
[root@liumiaocn ~]# ssh-keygen help 2>&1 |grep rsa
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
[root@liumiaocn ~]#
而使用openssl也可以完成这些。而实际上两者都是使用libssl来实现的,而libssl正是OpenSSL的组件之一,使用如下命令即可确认:
ssh-keygen确认命令:ldd `which ssh-keygen` |grep libssl
openssl确认命令:ldd\
which openssl|grep libssl
以openssl为例:
[root@liumiaocn ~]# ldd `which openssl` |grep libssl
libssl.so.1.1 => /usr/local/lib64/libssl.so.1.1 (0x00007f38432f1000)
[root@liumiaocn ~]#
ssh-keygen使用的也是libssl,由于本环境中手动安装和更新的1.1.1版本的OpenSSL,而ssh-keygen所使用的链接库仍然指向1.0.2版本的libssl,可以手动
[root@liumiaocn ~]# ldd `which ssh-keygen` |grep libssl
libssl.so.10 => /lib64/libssl.so.10 (0x00007f9b1e445000)
libssl3.so => /lib64/libssl3.so (0x00007f9b1e1f3000)
[root@liumiaocn ~]# ls -l /lib64/libssl.so.10
lrwxrwxrwx. 1 root root 16 Dec 8 00:32 /lib64/libssl.so.10 -> libssl.so.1.0.2k
[root@liumiaocn ~]# ls -l /lib64/libssl.so.1.0.2k
-rwxr-xr-x. 1 root root 470376 Aug 8 21:38 /lib64/libssl.so.1.0.2k
[root@liumiaocn ~]#
使用openssl配置ssh连接
相较于使用ssh-keygen,使用openssl也可以设定用于ssh连接的非对称密钥对,接下来以RSA密钥对为例进行设定方式的说明。
步骤1: 生成私钥
执行命令示例:openssl genrsa -3 -out rsa_key.private
执行日志示例如下所示:
[root@liumiaocn ~]# mkdir sshtest
[root@liumiaocn ~]# cd sshtest/
[root@liumiaocn sshtest]# openssl genrsa -3 -out rsa_key.private
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................................+++++
....................+++++
e is 3 (0x03)
[root@liumiaocn sshtest]# cat rsa_key.private
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA53Ab1rRtgEL4/UkoPr10ukOX16DFwb5F77XnuEpyHHd6t30p
3rfaaSwxBUecUllYOBkU7AgT+VK4jFebaXyvhiErZH2iyqL3/7WY6/ik4KKjwAUl
xSVvMV0C9mZv7BzMjuGliFPZ9cX3YG2g5bsxamkyeqhgJdYg/HSolrnP+8m3aPpN
Ra6z35v3t5pkOr7Rh7PnqfHAtyJp2Feo1vc5kdOYZp+26aMgo1NEz93y0KRsTRM4
VC2+zvk8FVFDCPFzAOxWjUx4bEIDbLK5LzB9jsQu8422CDqrbnSVZFqLMR9iEHQr
kcRGwEdLGvluX8iPKrEhyjOVrqyHhxTmoa6BCwIBAwKCAQEAmkq9Oc2eVYH7U4Ya
1H5N0YJlOmsugSmD9SPv0DGhaE+nJP4b6c/m8Mggri+9jDuQJWYN8rANUOHQXY+8
8P3KWWtyQv5shxdP/85l8qXDQGxtKq4ZLhj0y5NXTu71SBMzCevDsDfmo9lPlZ5r
Q9Ig8Zt2/HBAGTlrUvhwZHvf/S/gLYq6GM1m6FWQPsVbiqhT23GcwkTHQgQcFafQ
7i/mQOCOdYzp87rkcntTCWZyzFmqEL9tYda1o5L1JgXxNceOTqY4ziPXGcPz5uiM
rOtYcv9ZysUeC7K/pAxQINhhnQ9F9+ToUjxRf92MFduw/ZaKvDqq9NcG5IkpAzab
Fz4lmwKBgQD8dgM1PCtxd6FMGvgfnZY1iqjDqV1x6+J9BPyMq4JjwLZRa4s2SrpT
Miwhtx6WKc6ZFd0V8WXobksF/2e/6kB0KmBu4r9+DKHiKCUHCZ3v0MZYVEcRiNMS
UBq37z5TqzKp0Hu1s8UxVBbTTkKnot6xufjEJEGCyyLjefYi3D+xJwKBgQDqrqcA
5E8oC3pTPno7TSweM+C43S0j6DnCst9ixiz8b8xxSsEhsVB2xW4miqWwdE9UHhb+
UAXF61HGXOCZTgWpYJKSdVc3uPozajDfIjGJEX7P7x73bdt5qEdlQ9elGlXPTCEZ
YqSbLGQlq+09QIgNVmBdNq+IjLvmiEzbIpGXfQKBgQCoTqzOKBz2T8DdZ1AVE7l5
BxstG5OhR+xTWKhdx6xCgHmLnQd5hybiIXLBJL8Oxom7Y+i5S5lFntyuqkUqnCr4
HEBJ7H+pXcFBcBivW76f4IQ64toLsIy24BHP9NQ3x3cb4FJ5IoN2OA83iYHFFz8h
JqXYGCush2yXpqQXPX/LbwKBgQCcdG9V7YoaslGM1FF83h1pd+sl6MjCmtEsdz+X
LsioSohLhytry4r52PQZscPK+DTivrn+4APZR4vZk0BmNAPGQGG2+OTP0KbM8XXq
FsuwtlSKn2n6STz7xYTuLTpuEY6KMsC7lxhncu1ucp4o1bAI5EA+JHUFsyfvBYiS
Fwu6UwKBgECb1go6KKl1vgbDizK233Q/udI/EasydD8rv1ZMoiC57JevkfigYPCD
PV3WZwBHGoLmI2fJ+NK5bHJ0av7x8WOkLhGnyr9HKCDbmRLVrmI5QacbAzdIVmrE
e52gFyTIbxFWiT7s0yExrqQhh340Bou0v81o8ZJGJ0p82AzMcE48
-----END RSA PRIVATE KEY-----
[root@liumiaocn sshtest]#
步骤2: 生成公钥
使用私钥,执行如下命令则可生成公钥:
执行命令示例:openssl rsa -pubout -in rsa_key.private -out rsa_key.public
执行日志示例如下所示:
[root@liumiaocn sshtest]# ls
rsa_key.private
[root@liumiaocn sshtest]# openssl rsa -pubout -in rsa_key.private -out rsa_key.public
writing RSA key
[root@liumiaocn sshtest]# cat rsa_key.public
-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA53Ab1rRtgEL4/UkoPr10
ukOX16DFwb5F77XnuEpyHHd6t30p3rfaaSwxBUecUllYOBkU7AgT+VK4jFebaXyv
hiErZH2iyqL3/7WY6/ik4KKjwAUlxSVvMV0C9mZv7BzMjuGliFPZ9cX3YG2g5bsx
amkyeqhgJdYg/HSolrnP+8m3aPpNRa6z35v3t5pkOr7Rh7PnqfHAtyJp2Feo1vc5
kdOYZp+26aMgo1NEz93y0KRsTRM4VC2+zvk8FVFDCPFzAOxWjUx4bEIDbLK5LzB9
jsQu8422CDqrbnSVZFqLMR9iEHQrkcRGwEdLGvluX8iPKrEhyjOVrqyHhxTmoa6B
CwIBAw==
-----END PUBLIC KEY-----
[root@liumiaocn sshtest]# ls
rsa_key.private rsa_key.public
[root@liumiaocn sshtest]#
步骤3: 公钥格式转化
将公钥使用ssh-keygen进行格式转化即可完成ssh连接所使用的密钥对的准备,执行命令如下所示:
执行命令示例:ssh-keygen -f rsa_key.public -i -mPKCS8 >id_rsa.pub
执行日志示例如下所示:
[root@liumiaocn sshtest]# ls
rsa_key.private rsa_key.public
[root@liumiaocn sshtest]# ssh-keygen -f rsa_key.public -i -mPKCS8 >id_rsa.pub
[root@liumiaocn sshtest]# ls
id_rsa.pub rsa_key.private rsa_key.public
[root@liumiaocn sshtest]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABAwAAAQEA53Ab1rRtgEL4/UkoPr10ukOX16DFwb5F77XnuEpyHHd6t30p3rfaaSwxBUecUllYOBkU7AgT+VK4jFebaXyvhiErZH2iyqL3/7WY6/ik4KKjwAUlxSVvMV0C9mZv7BzMjuGliFPZ9cX3YG2g5bsxamkyeqhgJdYg/HSolrnP+8m3aPpNRa6z35v3t5pkOr7Rh7PnqfHAtyJp2Feo1vc5kdOYZp+26aMgo1NEz93y0KRsTRM4VC2+zvk8FVFDCPFzAOxWjUx4bEIDbLK5LzB9jsQu8422CDqrbnSVZFqLMR9iEHQrkcRGwEdLGvluX8iPKrEhyjOVrqyHhxTmoa6BCw==
[root@liumiaocn sshtest]#
步骤4: ssh连接事前确认与准备
~/.ssh目录下只有know_hosts的设定,使用ip连接本机时提示密码输入,说明没有进行ssh的密钥对的设定或者设定不成功,这里由于根本没有密钥对,所以是有设定。
[root@liumiaocn sshtest]# ls ~/.ssh
known_hosts
[root@liumiaocn sshtest]# ssh 192.168.163.121
[email protected]'s password:
将openssl生成的公钥和私钥拷贝过去
[root@liumiaocn sshtest]# ls
id_rsa.pub rsa_key.private rsa_key.public
[root@liumiaocn sshtest]# ls ~/.ssh
known_hosts
[root@liumiaocn sshtest]# cp id_rsa.pub ~/.ssh
[root@liumiaocn sshtest]# cp rsa_key.private ~/.ssh/id_rsa
[root@liumiaocn sshtest]# ls ~/.ssh
id_rsa id_rsa.pub known_hosts
[root@liumiaocn sshtest]#
注意事项:
- 公钥需要使用转化后的文件(id_rsa.pub)
- 私钥内容不需要改变,名称需要修改为id_rsa
步骤5: 使用ssh-copy-id设定密钥对
使用ssh-copy-id或者手动设定authorized_keys文件均可, 本文中直接使用ssh-copy-id命令,执行日志示例如下所示:
[root@liumiaocn sshtest]# ssh-copy-id -i 192.168.163.121
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.163.121'"
and check to make sure that only the key(s) you wanted were added.
[root@liumiaocn sshtest]#
[root@liumiaocn sshtest]# ls ~/.ssh
authorized_keys id_rsa id_rsa.pub known_hosts
[root@liumiaocn sshtest]#
步骤6: ssh连接确认
使用ssh连接192.168.163.121,发现ssh密钥设定已经成功,ssh命令执行时已经不再需要输入密码了。说明openssl执行生成的密钥对也是完全可以使用的。
[root@liumiaocn sshtest]# ssh 192.168.163.121 hostname
liumiaocn
[root@liumiaocn sshtest]#
总结
使用openssl生成ssh连接所需要的密钥对,相较于ssh-keygen提供了更多可设定的选择,可根据需要使用,这也是openssl众多功能中非常小的一项应用。