OSX: SSH密钥使用日记(2)
准备钥匙和锁(密钥对):
$ pwd /Users/test $ ssh-keygen -t dsa -C "$(whoami)@$(hostname),$(date '+%F %T')" -f ./ssh/my_dsa_sshkey
参数:
-t: 支持的格式是rsa1, rsa, dsa和ecdsa. OSX 10.8之前的不支持ecdsa.
-f : 用于设定密钥的加密方式,合法的有rsa, dsa和ecdsa
-b: 设定密钥长度, rsa是768到2048之间的数值; dsa只能是1024;ecdsa只能是256, 384 or 521中的一个。
-N: 这就是设置密语暗号(passphrass),这个的用途是,一旦你的那把钥匙丢了,别人没有你的暗语,也无法使用。
-q: 如果不想看它的提示信息,就加上这个静默选项。
-f: 保存的文件名。
-C: 可以设置一个注释.
$ ssh-keygen -A
如果求简单,就是用这一句,自动为每一个加密方式(rsa1, rsa, dsa and ecdsa),在默认位置(.ssh/)生成默认密钥对文件(identity, id_rsa, id_dsa, id_ecdsa)
查看生成的ssh密钥对:
# display public key-钥匙
$ ssh-keygen -e -f .ssh/my_dsa_sshkey
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted by [email protected] from OpenSSH"
AAAAB3NzaC1kc3MAAACBAP448yfy/RPzS4vJmVUdAgbhTT7+wAcPVgQM9phZRlVET6S+iy
6IK7w9gVZUYmNsWKCII=
---- END SSH2 PUBLIC KEY ----
#display private key-锁
$ ssh-keygen -y -f .ssh/my_dsa_sshkey
sh-dss AAAAB3NzaC1kc3MAAACBAP448yfy/RPzS4vJmVUdAgbhTT7+wAcPVgQM9phZRlVET6S+iy6IK7w9gVZUYmNsWKCIIVp3Tp35WBdBWzwBlBIKad73oDmskHXzKdhpqBqlTOBXnb5bEShR1GXv41isiDg/uhWjr3yPQQBqQuZtqeGnIgyDsaDCElbH9RzQXQLdAAAAFQCd8b6azLV+cIBHUlhx96s0THzxJwAAAIAXkuFTxQ6Weax8nQA6UGbPUOV1yVpLa6Js/wBZdTzgWJpvtMoVSE/F+5dkzHWYdPh9x1HKCw310GVsvIdmZeh=
其实直接用cat来看私有和共有密钥:
# it will not show a passphrased private key itself. 有暗号的钥匙不会显示钥匙原貌
# if private key without passphras, it will show the private key itself.
$ cat .ssh/my_dsa_sshkey
----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5549710C5D9791C4020C7A0FFAA00306
HpvJCObP/tsGpmlBphXc1Kw6DzkZc6KDcEbrvQeB9Q5vsuz9DQvIPaWwKOBomWWN
eDZHfVS9CVFkrRW+2mvXaw7uHgMMjQNdKnAdnV5voi5ePjwFF9OMpvS7u9+0zoWO
9fJYX/QB2LS9ijpXf5g4nVN5/6ZrEZ5Z/xeVVAzqn4irH6U7x3qd+RFb8nLf+pRU
4wIoa05eqYLE7BHP7uqe9==
-----END DSA PRIVATE KEY-----
# show the public key itself-锁
$ cat .ssh/my_dsa_sshkey.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted by [email protected] from OpenSSH"
AAAAB3NzaC1kc3MAAACBAP448yfy/RPzS4vJmVUdAgbhTT7+wAcPVgQM9phZRlVET6S+iy
6IK7w9gVZUYmNsWKCII=
---- END SSH2 PUBLIC KEY ----
10.8系统的变更-Ref (1):
$ cat /etc/sshd_config | grep "authorized_keys"
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
在10.6上面现实的是
#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
Ref:
(2): SSH Keys (简体中文) -En
(3): man ssh; man ssh-keygen
(4): LBackup Network Backup Information
(5): Keychain