文章目录

• 1.命令简介
• 2.命令格式
• 3.选项说明
• 4.常用示例
• 参考文献

1.命令简介

ssh-keygen 是 OpenSSH 身份验证密钥实用工具。

ssh-keygen 用于 OpenSSH 身份验证密钥的生成、管理和转换，它支持 RSA 和 DSA 两种认证密钥。

2.命令格式

ssh-keygen [OPTIONS] ...

3.选项说明

-b 指定密钥长度。
-e读取 OpenSSH 的私钥或者公钥文件。
-C添加注释。
-f 指定用来保存密钥的文件名。
-i读取未加密的 ssh-v2 兼容的私钥/公钥文件，然后在标准输出设备上显示 openssh 兼容的私钥/公钥。
-l显示公钥文件的指纹数据。
-N提供一个新密语。
-P 提供（旧）密语。
-q静默模式。
-t指定要创建的密钥类型。

4.常用示例

（1）创建一个默认密钥。

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/lighthouse/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/lighthouse/.ssh/id_rsa.
Your public key has been saved in /home/lighthouse/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:c8jkpkXgRqqfelFHKxq956d+6qYzAR0kHgnaVs9gtYw lighthouse@VM-0-3-centos
The key's randomart image is:
+---[RSA 2048]----+
|  ..*+=          |
| o +.%.o.        |
|. o EoBoo.       |
| . .o.==o.       |
|  .  = +S .      |
|   .o.o+.o       |
|    o..+         |
|   .. o o o      |
|  ..  .B==       |
+----[SHA256]-----+

中途需要三次确认，全部缺省直接回车即可。在当前用户的家目录下，~/.ssh 目录下将会看到三个文件：

ls -l ~/.ssh
authorized_keys  id_rsa  id_rsa.pub

如果当前主机是 SSH 服务端，那么会有 authorized_keys，用来存放客户端机器的公钥。

id_rsa 为当前主机的私钥。

id_rsa.pub 为当前主机的公钥。

我们需要本地机器通过 SSH 访问远程服务器时为了减少输入密码的步骤，基本上都会在本地机器生成 SSH 公钥，然后将本地 SSH 公钥复制到远程服务器的 .ssh/authorized_keys 中，这样就可以免密登录了。

如果当前主机为客户端，你可能还会在 ~/.ssh 目录下看到 known_hosts 文件，该文件用来记录连接过的远程主机。如果是首次连接某个远程主机，那么会有安全提示，是否继续连接。

（2）指定要创建的密钥类型，缺省为 RSA。

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nTaoqOxlG6IQQ2zDTMvSk2EON+4tLrYqPy7IBrstoy4 root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|..=              |
|*B.+             |
|.X*              |
|+..o     o .     |
|o o .   S =      |
|.+ . . . . .     |
|*oo = .          |
|EBo= o           |
|%@B..            |
+----[SHA256]-----+

（3）指定密钥的类型并添加注释。

ssh-keygen -t rsa -C "dablelv@qq.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Wx3MWwj36fwhcnb6hjdIIJ3SUggCLcmFq62Earqy2E0 deng@qq.com
The key's randomart image is:
+---[RSA 2048]----+
|  ..*o .. o .    |
|   = ..  . * o . |
|    o     + * +  |
|   .     + * *   |
|. o     S =.++oo |
|.o .     o  +.+..|
|o . E   .   ..o .|
|++ o         o.+ |
|Oo. .         o..|
+----[SHA256]-----+

（4）读取 OpenSSH 的私钥或者公钥文件。

ssh-keygen -e
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by lighthouse@VM-0-3-centos from Ope"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDb1aKBbvfSefnuzLfhNKlIa4zsbBFG+m7ugZbeBW
RwJXONhSq/AW27+Tq9zDtI6qG+UxmjIorVHbAVl4llVZz8e5b/s5I0yiBoLy/RokpvisNB
kVkWl2oNGtkdHxTSYcJ3jdbTZ+ya6MyOiaMt24jV+zxxS1BXWxA14kS/JqiMC7lx9Vu0Ed
AHY0zq2dj+pX31FB7Xs7p98eO+Est6msCGIInIpzGTlTskL6m7B+aMBaquWlEyQAmRX5G8
YoOFw+aDT4q1aaaaBkFdcy/nhHPpbfM8eIzbAv+khHRjZV8XQCo+UeHzme8nmfWDCWwKZ8
TnpO239diTdl2Wps2YCMex
---- END SSH2 PUBLIC KEY ----

（5）安静模式生成密钥对。

ssh-keygen -q -t rsa
Enter file in which to save the key (/home/lighthouse/.ssh/id_rsa): 
/home/lighthouse/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

参考文献

ssh-keygen(1) — Linux manual page - man7.org
一文读懂authorized_keys和known_hosts_游语的博客-CSDN博客