前天给客户安装环境,没想到在生成SSH密钥上耽误很多时间。
先从一个实验开始吧。
先生成密钥对,公钥为/tmp/key.pub,私钥为/tmp/key。命令行选项中 -t表示key type,-b表示key的bit数,在puttygen中也是使用这样的组合,即RSA, 2048。
$ ssh-keygen -t rsa -N "" -b 2048 -f /tmp/keyGenerating public/private rsa key pair.Your identification has been saved in /tmp/key.Your public key has been saved in /tmp/key.pub.The key fingerprint is:SHA256:tEKCPeGEeACopFxSLc0gp2qRgcJlbd7nI85PQqKxZWg vagrant@ol7-vagrantThe key's randomart image is:+---[RSA 2048]----+|B=oBO ||=+XB B ||*=+ O o . ||+.. .= o o ||.. E +..S ||. . * oo o || o o.... || oo || .. |+----[SHA256]-----+这里产生的私钥默认是兼容性更好的PEM格式。如果加-o选项,则生成的是OpenSSH格式的私钥。
$ file /tmp/key/tmp/key: PEM RSA private key$ cat /tmp/key-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA9wAa7Z+rNh6hqbL0CFfC4zwjSoRn5Pos8fcP2AuuyjdSLZS6I9Sd6KpE9iWeYrRDgNnEwCCCg5g+UmaPo1r7bzkfaCivmFslqj0nT7KxQo7sinSVIr20awwAHsI0hfdKJVs+stpLaXWtsvb9jTSBNgKGJ8RWVGVQUZgfLZU4bTb6J8PUn8S6r6AUkWpbhhEF0pMQYrJir3CV0B0yYpNbKZGRLbRxmeBG5s8tgitiWOUcUCtyJJgY7r5mWAiO2NSNtTz9ZeZcUA7P+eZqreCR8OvWooZ3LcahdiVJg1tnkxv7KNrBbiDOgfOzjKwMu7zUQDw+J8kjpKMfwf4c4SiyOQIDAQABAoIBAQDhkCYHRN3s0XJe776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31b4tBpk9S9wwXTFkD5d9cDq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6ZKE8g3CDJFpeea32ctEvI+Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tNumvoRFOtyJ5oVnyCeHruvWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+ZubYwxT5cUY573KxO70hyClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePyO3PAU42HhXYv6qRubazODdm6AnwRAoGBAPyo8y8ELwCIujAgifNeMcSCpHkDv9DkOPk2E6l/lR+3qrZLmOQsbywsfLDvgpRzAUIlKzWRaHp2f2+071MX2ChQvh/JxbIHIEnwJXjd/1hzF8oCmOWFLVVmR06NjwA6IqwWVCZZ7OEUVtu/iTNLf0n6efhTtrKjrnEQl7BhMP8VAoGBAPpEAJMIL+eEuqdQXXEoI/wxV8J6oavNAD9IyTgZHau4DiDp6RaByIVlDZWmpDfCU7xA7d3uJfwFLhNsAzEx8UYwyTrKu9u0J+ZA1cWePBwH2eF5FEM+1H0ZunqsRvADsnhdfyloKr6m+1LczGKsFsL06luaatH6IgFLrPoKag+VAoGAYODDRi7bet/yTEvduWRPvuK8/+3RGd64fc4fYemam2vIWFfKSwtCoXR5ZzqfHh6ux9cKp2KW5gYTvRhqf7jv2B2FmRi75hRXbCJZq+urYhXXdEzkpXUYOdua0eLzhwnDi6qQH5hxfKhY2a+qgvGa4BnbtL0cm4ipdY8AKtBJgjUCgYEAxFtuh+44h9IgEP6BEjOIaGrejHxjNMSXmQ+msRkjqoOysihU9Y/GoML0saIZ3pXd1SqsdyBPNTlrOVnZ91NUFtpYSISgeHUViRb9oxvP1b5jOQEi4M//MFhrc6yPy+lasg3Jo9dTEls5fX437oNPKI+5AT5a6Xz0CUgy48wgAzECgYAn15ctkpAhZVNhx+pgkJmsCd7kNAZaPNuWWrejemlzypEy7aN7KVlTgfF1/tJOgu6PVKVAVfvDT1ipVV36hTHkFDeWjP0vfZ+CN+ym8DcHE8XwPuCy4bhYbLjCLvyEMpUI6/cJ6a4jCXAI1bweHcV0UpBIS1n65/eSGD0JGy3Esg==-----END RSA PRIVATE KEY-----$ file /tmp/key.pub/tmp/key.pub: OpenSSH RSA public key$ cat /tmp/key.pubssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5 vagrant@ol7-vagrant这里生成的PEM RSA格式的私钥,可以import到puttygen中生成putty使用的PPK格式的私钥,如下:
PuTTY-User-Key-File-2: ssh-rsaEncryption: noneComment: imported-openssh-keyPublic-Lines: 6AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5Private-Lines: 14AAABAQDhkCYHRN3s0XJe776tc7/VFlFANsRONi0fVrkQWjLoFjckywJlwD/ofr31b4tBpk9S9wwXTFkD5d9cDq8zxd2Bx8+npigdYXd3DNu+i3gXSUA4fJjJHicJ7u6ZKE8g3CDJFpeea32ctEvI+Ie6EO3CrfFnlYQlFFSR/vLSBMh/6n6lkei01LLTR9tNumvoRFOtyJ5oVnyCeHruvWZJxZpbZNEIGMXDFbQyJ3ceqF2X4n9/CAGIg9Dndc+ZubYwxT5cUY573KxO70hyClnUiG3sFGad1qsmKgW6f9cizRCaPtPKhB7JtaUS3ePyO3PAU42HhXYv6qRubazODdm6AnwRAAAAgQD8qPMvBC8AiLowIInzXjHEgqR5A7/Q5Dj5NhOpf5Uft6q2S5jkLG8sLHyw74KUcwFCJSs1kWh6dn9vtO9TF9goUL4fycWyByBJ8CV43f9YcxfKApjlhS1VZkdOjY8AOiKsFlQmWezhFFbbv4kzS39J+nn4U7ayo65xEJewYTD/FQAAAIEA+kQAkwgv54S6p1BdcSgj/DFXwnqhq80AP0jJOBkdq7gOIOnpFoHIhWUNlaakN8JTvEDt3e4l/AUuE2wDMTHxRjDJOsq727Qn5kDVxZ48HAfZ4XkUQz7UfRm6eqxG8AOyeF1/KWgqvqb7UtzMYqwWwvTqW5pq0foiAUus+gpqD5UAAACAJ9eXLZKQIWVTYcfqYJCZrAne5DQGWjzbllq3o3ppc8qRMu2jeylZU4Hxdf7SToLuj1SlQFX7w09YqVVd+oUx5BQ3loz9L32fgjfspvA3BxPF8D7gsuG4WGy4wi78hDKVCOv3CemuIwlwCNW8Hh3FdFKQSEtZ+uf3khg9CRstxLI=Private-MAC: dfd25e12c37694bbf51cdcd0dd71c8f77c0ae63d顺带说一下,PEM表示Privacy Enhanced Mail,PPK表示PuTTY Private Key。这两种都是私钥格式。PEM实际上是一种特定的BASE64编码。参见这里
将OpenSSH格式公钥转换为SSH2格式,即RFC 4716格式:
$ ssh-keygen -e -f /tmp/key---- BEGIN SSH2 PUBLIC KEY ----Comment: "2048-bit RSA, converted by vagrant@ol7-vagrant from OpenSSH"AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5---- END SSH2 PUBLIC KEY ----将SSH2 格式公钥转换为PEM:
$ ssh-keygen -e -f /tmp/key > key.ssh2$ ssh-keygen -i -f key.ssh2 > key.pem$ cat key.pemssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3ABrtn6s2HqGpsvQIV8LjPCNKhGfk+izx9w/YC67KN1ItlLoj1J3oqkT2JZ5itEOA2cTAIIKDmD5SZo+jWvtvOR9oKK+YWyWqPSdPsrFCjuyKdJUivbRrDAAewjSF90olWz6y2ktpda2y9v2NNIE2AoYnxFZUZVBRmB8tlThtNvonw9SfxLqvoBSRaluGEQXSkxBismKvcJXQHTJik1spkZEttHGZ4Ebmzy2CK2JY5RxQK3IkmBjuvmZYCI7Y1I21PP1l5lxQDs/55mqt4JHw69aihnctxqF2JUmDW2eTG/so2sFuIM6B87OMrAy7vNRAPD4nySOkox/B/hzhKLI5$ file key.pemkey.pem: OpenSSH RSA public key将OpenSSH格式公钥转换为PEM格式:
$ ssh-keygen -f /tmp/key.pub -e -m pem私钥除了PEM格式,还有一个OpenSSH格式。如文档描述:
-m key_format Specify a key format for key generation, the -i (import), -e (export) conversion options, and the -p change passphrase oper‐ ation. The latter may be used to convert between OpenSSH pri‐ vate key and PEM private key formats. The supported key for‐ mats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PKCS8 public or private key) or “PEM” (PEM public key). By default OpenSSH will write newly-generated private keys in its own format, but when converting public keys for export the default format is “RFC4716”. Setting a format of “PEM” when generating or updating a supported private key type will cause the key to be stored in the legacy PEM private key format.使用-p选项可以将PEM和OpenSSH格式互相转换。
# 从OpenSSH到PEMssh-keygen -p -N "" -m pem -f /path/to/key# 从PEM到OpenSSHssh-keygen -p -N "" -f /path/to/key总结一下,私钥的格式有PEM, OpenSSH和PPK 3种。公钥的格式有OpenSSH和SSH2两种。
对于私钥,PPK是putty程序用的,这种格式和其它格式的转换通过puttygen来做。puttygen只能import PEM格式的,但可以转换成openssh格式的。PEM和OpenSSH之间的转换通过ssh-keygen -p来做。
对于公钥,OpenSSH,SSH2,PEM之间通过ssh-keygen -e或-i来转换。 ~/.ssh/authorized_keys中存放的公钥是OpenSSH格式。OCI中API Signing Key使用PKCS8格式的公钥。如下:
$ ssh-keygen -f /tmp/key.pub -e -m PKCS8-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4qbA9YzAhibGhHqLR4+k9hEthtZkGMNw95AzEkmZ22q6sVAm0+EOS4iNPNxZkX1Dn9rDztn0n9pBGzet1V6Yul7q2wpael/YUk7MM+qGvBNp87RoXmZ17B3BVPAlVPol1q3PV4iWSuHs1RrY2HmJI2T4yZKcjtHOManI32Hl2Czo6upswUlZVeQ5pwI2g/wFjjyUwaRaB5CiKN8GjjNpTKwdOt89GcOfZbo54f9yu9L/FbISGMfFi8DVdMHnLPgtpCvmpJ3aa5BvligMEOB25KT+DN7Eu+Bsbl2w3tkhvsa11AHVX+ZAdqPG40NAG7JtJouEvLYS17pI1kOVAO1vpwIDAQAB-----END PUBLIC KEY-----那天在客户处出现的问题就是因为Oracle公有云(OCI)生成的私钥和私钥都是OpenSSH格式的。所以私钥无法直接导入puttygen,需要先转换为PEM格式才可导入。