ssh-keygen 密钥

ssh-keygen 使用

生成、管理和转换认证密钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ ssh-keygen --help
ssh-keygen: unknown option -- -
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
[-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-m key_format] [-f input_keyfile]
ssh-keygen -e [-m key_format] [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-f known_hosts_file] [-l]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
[-j start_line] [-K checkpt] [-W generator]
ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
[-O option] [-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q -f krl_file file ...

-t 指定要创建的密钥类型,如:-t dsa | ecdsa | ed25519 | rsa | rsa1

1
2
3
$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/c/Users/Administrator/.ssh/id_ecdsa):

-b bits 指定密钥长度。对于RSA密钥,最小要求768位,默认是2048位

1
2
3
$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/Administrator/.ssh/id_rsa):

-C comment 提供一个注释。生成git密钥的时候都会要求注释中写入邮箱名字。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/Administrator/.ssh/id_rsa): your_email #如果需要指定生成的文件名,就输入,否则就回车
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in jerry.myoss.
Your public key has been saved in jerry.myoss.pub.
The key fingerprint is:
SHA256:zIF+Fqb8qIJsHq1nBV07DTuOvF6ucxhaaIBZcIk2/uE jerry.myoss@gmail.com
The key's randomart image is:
+---[RSA 4096]----+
|.o.. |
|.+o + |
|+o. . o O |
|oo o + X + |
| + = * S |
| .E * * |
|.o..+ =.. |
|.o++ =o. |
|ooo.oo+. |
+----[SHA256]-----+

-f filename 指定密钥文件名

-l 显示公钥文件的指纹数据。它也支持 RSA1 的私钥。对于RSA和DSA密钥,将会寻找对应的公钥文件,然后显示其指纹数据。

1
2
$ ssh-keygen -lf id_rsa.pub
2048 SHA256:Ie1oJx+a9+iqZk1OUnUrJVH2e/aRFbGcfLvpG7YNJBY your_email@example.com (RSA)

-E 用md5的方式查看指纹数据

1
2
$ ssh-keygen -E md5 -lf id_rsa.pub
2048 MD5:8a:f4:c3:8f:11:53:c9:12:a6:c0:3f:b9:70:a6:84:65 your_email@example.com (RSA)

ssh密钥常见问题

Permissions 0644 for ‘/root/.ssh/id_rsa’ are too open

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@linux1 workspace]# git clone git@github.com:myoss/profile.git
Initialized empty Git repository in /root/workspace/profile/.git/
The authenticity of host 'github.com (192.30.252.128)' can't be established.
RSA key fingerprint is 16:27:ac:b5:76:28:2d:37:63:1b:56:3d:sb:df:a6:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.252.128' (RSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/root/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /root/.ssh/id_rsa
Permission denied (publickey).
fatal: The remote end hung up unexpectedly

出现以上的错误,需要将私钥的权限降级到0600

1
[root@linux1 workspace]# chmod 0600 ~/.ssh/id_rsa

多个公钥与服务器上不同的GIT帐号交互

国外很有名的:github.com,国内:git.oschina.net等等,我们可能会在上面注册多个账户,但是如何使用不同的公钥了?

生成不同账户的密钥

假设我现在有2个Github账户,账户名分别是:jerry1jerry2,我先在本地生成两个密钥,然后将密钥的公钥分别添加到Github账户中

1
2
3
4
5
6
7
$ ssh-keygen -t rsa -b 4096 -C "jerry1@myoss.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/Administrator/.ssh/id_rsa): jerry1_rsa
$ ssh-keygen -t rsa -b 4096 -C "jerry2@myoss.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/Administrator/.ssh/id_rsa): jerry2_rsa

添加公钥到服务器的账户中

将刚才生成的两个公钥,分别添加到github.com中(其它的网站也类似)

1
2
3
4
5
$ cat jerry1_rsa.pub #复制下面输出的内容,添加到github账户中
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+vhrJRJZHJnLB/hu+4M1WJpWv+VICFUE1P/spsuPE6VZuCsTi/QfO5g9/ekxKgaw0vZs6F568UQbZQV+u3c88t0YWbp6VlvgsPPjJAUw96UkLswMJRmfkwPkZdmrwv5xjLW6eC3xrV0jnZfwzVJl0OHuBMLwfYCwrRjKo8n1dqiQWaAFI6STJpYwj9862o+Bob86h+CQl5CpKsSViyhnHcdrSC498fYptkd2CbaQ8IL0ShLdi/uJAHbVv1cGRyDe/pHpfg9/exJWr9E8zmBHJ1rVYNXWcSJQiaB8sJ2Gqx/Lr8sW3iDaavJEw3y3agx5XWyPG8FDh60g/VHR9PURlkpO28jl8whxiVZbCXUreRZZQy3VCMY+JP73lXsb6a8YJ00PsM5OdTDm1PRQCPUxq492PbysSNeS+k7/RiOSBp1CE1xuWGhvJiZdNAF8pcxxe4Hvbg06PvoDIiyPl6Q0w6N//MNIjiVAJlb8+4Lqdo/EG96QtR8hjGi5j2Pkf2UU6PcmH1Cgb28xNwKorris4JUfHoYq9d7hQBpFOraSzsgM/M7x9QRYLi/3Up8aSXSbbHNrLN4gbIlEjEyb+AjG2WXSAkFNYr6LSRXa3V6KTLttR9Cxqo85WOsdQpJYjeeZVocfWlUkHwl3pSh/x/8GAkAj1J+XenGoJvc+upL13xw== jerry1@myoss.com
$ cat jerry2_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKn5jvaHbKnnZqDqDXpaos9CZZKWgdfYKK+oUWJ88hfjuD9GQOXcK23xedRQ8fXGGnuvNjjsKFHeJZOP70pSflQIladi6ZG2vNWtieDoWWfS65f8fEFd5kN7OS4GA9K7DHZkzr+IYm5tPjq9Znwvml2xN51BlJoqo0UUhPRKE+v7or3tqSS155LuEDyRBvHxA8TKeIK7TM80E2WDVaVzXvEFdgT5s3JrzmzVhgFjjJTS2dpER3DqSyhB168gMEE4Lhh+D+68vR6ED/7eFst0g7bBC5f8lAmAs7bWOFVKFkFTzOQj8nL4XM9ACZyCvgDMakLpOntQa/W9l4Av0FS5XFpMxm1Qza+SDycwIGYgAMDpiEiIzcuPiMFckGk8CV5C7ziV9oU+OZTYChskrnahaOJRZNvjGN/Y7kUIXjybgQUqwj25qxbmwXivT9OObKNtdT8lQZLdFPgBosT62aW0MpDKGg8JTGDG4IDfIXnOizz6PTT9s7XuIYFi23vsScFG/yttm7cUDsUKn9HI5bjv0u0YE7Q1oYYXZmq7ZdbJ5QgTjCY3OJhT+wZpiLdFdLFplj+OVT29PRVxB01njGqmuXrpij/AP9V3Hr2l7NM12xc597jOoDwBLHgxvt93jAzQTgsxalE0ZU73P/8ohnngWQiAi/vXe4oh8la7kj3gpe5Q== jerry2@myoss.com

配置ssh的config文件

在用户家目录的.ssh中,创建或者编辑文件config

1
2
3
4
5
6
7
8
9
10
11
12
$ cat ~/.ssh/config
Host jerry1-github
HostName github.com
user git
PreferredAuthentications publickey
IdentityFile ~/.ssh/jerry1_rsa
Host jerry2-github
HostName github.com
user git
PreferredAuthentications publickey
IdentityFile ~/.ssh/jerry2_rsa

测试是否能连接git服务器

不输出错误信息,即连接成功。如果不是github账户,输出的信息和下面会不同

1
2
3
4
5
$ ssh -T jerry1-github
Hi jerry1! You've successfully authenticated, but GitHub does not provide shell access.
$ ssh -T jerry2-github
Hi jerry2! You've successfully authenticated, but GitHub does not provide shell access.

git服务器的仓库地址

github中默认ssh方式的项目地址类似如下

1
2
3
git@github.com:github的用户名/github的项目名字.git
git@github.com:myoss/profile.git #比如:这是我的账户中的profile项目

这是时候克隆的ssh地址需要稍作改变

1
2
3
4
5
config文件中配置的Host名字:github的用户名/github的项目名字.git
git clone jerry1-github:jerry1/github的项目名字.git #GitHub中jerry1的某某项目
git clone jerry2-github:jerry2/github的项目名字.git #GitHub中jerry2的某某项目

如果你的项目已经克隆到本地磁盘了,那么就修改下远程仓库的地址

1
2
3
git remote set-url <仓库的简写名字> <新的仓库地址>
git remote set-url origin jerry1-github:jerry1/github的项目名字.git
您的赞赏将鼓励我继续分享!
Fork me on GitHub