和产生 OpenSSH 公私钥一样,产生一对 CA 私钥 ca 和 CA 公钥 ca.pub。若没有指定 -P,则会要求你输入 passphrase(可选,但建议有)。
1 2 3 4 5 6 7 8 9
➜ test ssh-keygen -f ca -P "Totoro-Test" -C "This is a test" Generating public/private rsa key pair. Your identification has been saved in ca Your public key has been saved in ca.pub The key fingerprint is: SHA256:5DBKx...MDh5I This is a test The key's randomart image is: +---[RSA 3072]----+ ...
我们只需要保存私钥即可,可由 CA 私钥生成公钥。
1 2 3 4 5 6
➜ testcat ca.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCji+s1JRiUvhJVHyekdyi27T2Pi7/D/3QJfYkJ1cCuORV/7KkmfTm7Yp5OJqv3rqDUbd84OuDAIFyRV51ghQYdoWHQ/GC7KhJErhiMu0IuEIeuaeqlQFY8E475tTtN4kcrEvKvMgQBl5G1EPQC4bVmBhvlR2jWFo1O7HVdXmcLGpdHtaDpOG7T9UzOlFxQKuK/sXQ6+XTAX4aSnELM0+6Kr438hZxrkV67aosHbg0clWqqoSBw53WslxwNC/x+0kEf61aXyNiAOdhwQFAJSxSo+oanm2uMTkxm6twPzqjt3MfZm8swMb3IgGDKOrxHoqcxVysF+wSD3o4X1nGhbp4irQk/Wc7g3yCfsoDmNuPvmax6Dpg4Vz/i0NqnHadUEnrxStdA5679D7QV0YbjAJvcKQ8qS3yLpo+zMJIbBBGu5tA+yQ5owGGdFtwVyRoaw9t+zb6hp4hrTBdGq+gqJzsuoNOWFvS4+0m3v5/0ZEmsgGc6ZGz7sXx7zuD1BmTzcIU= This is a test ➜ testrm ca.pub ➜ test ssh-keygen -f ca -y Enter passphrase: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCji+s1JRiUvhJVHyekdyi27T2Pi7/D/3QJfYkJ1cCuORV/7KkmfTm7Yp5OJqv3rqDUbd84OuDAIFyRV51ghQYdoWHQ/GC7KhJErhiMu0IuEIeuaeqlQFY8E475tTtN4kcrEvKvMgQBl5G1EPQC4bVmBhvlR2jWFo1O7HVdXmcLGpdHtaDpOG7T9UzOlFxQKuK/sXQ6+XTAX4aSnELM0+6Kr438hZxrkV67aosHbg0clWqqoSBw53WslxwNC/x+0kEf61aXyNiAOdhwQFAJSxSo+oanm2uMTkxm6twPzqjt3MfZm8swMb3IgGDKOrxHoqcxVysF+wSD3o4X1nGhbp4irQk/Wc7g3yCfsoDmNuPvmax6Dpg4Vz/i0NqnHadUEnrxStdA5679D7QV0YbjAJvcKQ8qS3yLpo+zMJIbBBGu5tA+yQ5owGGdFtwVyRoaw9t+zb6hp4hrTBdGq+gqJzsuoNOWFvS4+0m3v5/0ZEmsgGc6ZGz7sXx7zuD1BmTzcIU= This is a test
拿 CA 私钥对服务器公钥进行签发。
1 2 3
➜ test sudo ssh-keygen -s ca -I "host test" -h /etc/ssh/ssh_host_rsa_key.pub Enter passphrase: Signed host key /etc/ssh/ssh_host_rsa_key-cert.pub: id"host test" serial 0 valid forever
拿 CA 私钥对用户公钥进行签发。和上面签发过程类似,只是不需要加 -h(-n 后可加上 Principals)。
1 2 3
➜ test ssh-keygen -s ca -I "client test" -n root,totoro id_rsa.pub Enter passphrase: Signed user key id_rsa-cert.pub: id"client test" serial 0 valid forever
在 Windows 上,我用的集成远程管理软件 MobaXterm 相信很多人都用过,而 Windows 也自带了 OpenSSH。
很惊喜,Windows 上的 OpenSSH 和 Linux 用起来几乎一样:
1 2 3 4 5 6 7 8 9
PS C:\Users\totoro\Downloads> ssh-keygen -f ca -P "Totoro-Test" -C "This is a test" Generating public/private rsa key pair. Your identification has been saved in ca Your public key has been saved in ca.pub The key fingerprint is: SHA256:5DBKx...MDh5I This is a test The key's randomart image is: +---[RSA 3072]----+ ...
Improvement: you can now select a custom log file name with several variables available Improvement: enhanced syntax highlighting speed, the terminal is now 16x faster when processing colored patterns Improvement: added basic SSH certificate support, you can now define a CA-signed OpenSSH user key in your SSH sessions Improvement: enhanced overall terminal rendering speed and decreased CPU consumption when refreshing, especially on High DPI monitors Improvement: better support for mouse "infinite scrolling mode" into terminals Improvement: decreased the SSH connection time, especially when using private keys with more than 2048 bits Improvement: support for ECDSA private keys with "aes-256-ctr" cipher in "OpenSSH_v2" format into SFTP sessions Improvement: support for RSA private keys with a passphrase in "OpenSSH_v2" format into SFTP sessions ...