Share
Sign In
git generate ssh key
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.
2.
ssh 생성 여부 확인하기.
eval "$(ssh-agent -s)"
# 다음과 같이 뜬다면 잘 된 것이다.
# Agent pid 261913.
ssh-agent에 ssh-key 등록하기.
ssh-add ~/.ssh/id_rsa
# Enter passphrase for /root/.ssh/id_rsa:
# Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
ssh-keygen 명령어
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment]
[-f output_keyfile] [-m format] [-N new_passphrase]
[-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format]
[-N new_passphrase] [-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU]
[-D pkcs11_provider] [-n principals] [-O option]
[-V validity_interval] [-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file file ...
ssh-keygen -Y find-principals [-O option] -s signature_file -f
allowed_signers_file
ssh-keygen -Y match-principals -I signer_identity -f
allowed_signers_file
ssh-keygen -Y check-novalidate [-O option] -n namespace -s
signature_file
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
signer_identity -n namespace -s signature_file
[-r revocation_file]The options are as follows:
-A Generate host keys of all default key types (rsa, ecdsa,
and ed25519) if they do not already exist. The host keys
are generated with the default key file path, an empty
passphrase, default bits for the key type, and default
comment. If-fhas also been specified, its argument is
used as a prefix to the default path for the resulting host
key files. This is used by/etc/rc to generate new host
keys.
-a rounds
When saving a private key, this option specifies the number
of KDF (key derivation function, currently bcrypt_pbkdf(3))
rounds used. Higher numbers result in slower passphrase
verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default
is 16 rounds.
-B Show the bubblebabble digest of specified private or public
key file.
-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 1024 bits and the default is 3072
bits. Generally, 3072 bits is considered sufficient. DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the-bflag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384
or 521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and the-b
flag will be ignored.
-C comment
Provides a new comment.
-c Requests changing the comment in the private and public key
files. The program will prompt for the file containing the
private keys, for the passphrase if the key has one, and
for the new comment.
-D pkcs11
Download the public keys provided by the PKCS#11 shared
librarypkcs11. When used in combination with-s, this
option indicates that a CA key resides in a PKCS#11 token
(see theCERTIFICATES section for details).
-E fingerprint_hash
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: “md5” and “sha256”. The
default is “sha256”.
-e This option will read a private or public OpenSSH key file
and print to stdout a public key in one of the formats
specified by the-moption. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for
use by other programs, including several commercial SSH
implementations.
-F hostname |[hostname]:port
Search for the specifiedhostname (with optional port
number) in aknown_hosts file, listing any occurrences
found. This option is useful to find hashed host names or
addresses and may also be used in conjunction with the-H
option to print found keys in a hashed format.
-f filename
Specifies the filename of the key file.
-g Use generic DNS format when printing fingerprint resource
records using the-rcommand.
-HH ash aknown_hosts file. This replaces all hostnames and
addresses with hashed representations within the specified
file; the original content is moved to a file with a .old
suffix. These hashes may be used normally bysshandsshd,
but they do not reveal identifying information should the
file's contents be disclosed. This option will not modify
existing hashed hostnames and is therefore safe to use on
files that mix hashed and non-hashed names.
-h When signing a key, create a host certificate instead of a
user certificate. See theCERTIFICATES section for
details.
-I certificate_identity
Specify the key identity when signing a public key. See
theCERTIFICATES section for details.
-i This option will read an unencrypted private (or public)
key file in the format specified by the-moption and print
an OpenSSH compatible private (or public) key to stdout.
This option allows importing keys from other software,
including several commercial SSH implementations. The
default import format is “RFC4716”.
-K Download resident keys from a FIDO authenticator. Public
and private key files will be written to the current
directory for each downloaded key. If multiple FIDO
authenticators are attached, keys will be downloaded from
the first touched authenticator. See theFIDOAUTHENTICATOR section for more information.
-k Generate a KRL file. In this mode,ssh-keygenwill
generate a KRL file at the location specified via the-f
flag that revokes every key or certificate presented on the
command line. Keys/certificates to be revoked may be
specified by public key file or using the format described
in theKEY REVOCATION LISTS section.
-L Prints the contents of one or more certificates.
-l Show fingerprint of specified public key file. For RSA and
DSA keysssh-keygentries to find the matching public key
file and prints its fingerprint. If combined with-v, a
visual ASCII art representation of the key is supplied with
the fingerprint.
-M generate
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
parameters for eventual use by the
‘diffie-hellman-group-exchange-*’ key exchange methods.
The numbers generated by this operation must be further
screened before use. See theMODULI GENERATION section for
more information.
-M screen
Screen candidate parameters for Diffie-Hellman Group
Exchange. This will accept a list of candidate numbers and
test that they are safe (Sophie Germain) primes with
acceptable group generators. The results of this operation
may be added to the/etc/moduli file. See theMODULIGENERATION section for more information.
-m key_format
Specify a key format for key generation, the-i(import),
-e (export) conversion options, and the-pchange
passphrase operation. The latter may be used to convert
between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but
when converting public keys for export the default format
is “RFC4716”. Setting a format of “PEM” when generating or
updating a supported private key type will cause the key to
be stored in the legacy PEM private key format.
-N new_passphrase
Provides the new passphrase.
-n principals
Specify one or more principals (user or host names) to be
included in a certificate when signing a key. Multiple
principals may be specified, separated by commas. See the
CERTIFICATES section for details.
-O option
Specify a key/value option. These are specific to the
operation thatssh-keygenhas been requested to perform.
When signing certificates, one of the options listed in the
CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the
options listed in theMODULI GENERATION section may be
specified.
When generating FIDO authenticator-backed keys, the options
listed in theFIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the-Y
flag, the following options are accepted:
hashalg=algorithm
Selects the hash algorithm to use for hashing the
message to be signed. Valid algorithms are
“sha256” and “sha512.” The default is “sha512.”
print-pubkey
Print the full public key to standard output after
signature verification.
verify-time=timestamp
Specifies a time to use when validating signatures
instead of the current time. The time may be
specified as a date or time in the YYYYMMDD[Z] or
in YYYYMMDDHHMM[SS][Z] formats. Dates and times
will be interpreted in the current system time zone
unless suffixed with a Z character, which causes
them to be interpreted in the UTC time zone.
The-Ooption may be specified multiple times.
-P passphrase
Provides the (old) passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program will
prompt for the file containing the private key, for the old
passphrase, and twice for the new passphrase.
-Q Test whether keys have been revoked in a KRL. If the-l
option is also specified then the contents of the KRL will
be printed.
-q Silencessh-keygen.
-R hostname |[hostname]:port
Removes all keys belonging to the specifiedhostname (with
optional port number) from aknown_hosts file. This option
is useful to delete hashed hosts (see the-Hoption above).
-r hostname
Print the SSHFP fingerprint resource record namedhostname
for the specified public key file.
-s ca_key
Certify (sign) a public key using the specified CA key.
See theCERTIFICATES section for details.
When generating a KRL,-sspecifies a path to a CA public
key file used to revoke certificates directly by key ID or
serial number. See theKEY REVOCATION LISTS section for
details.
-t dsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa
Specifies the type of key to create. The possible values
are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or
“rsa”.
This flag may also be used to specify the desired signature
type when signing certificates using an RSA CA key. The
available RSA signature variants are “ssh-rsa” (SHA1
signatures, not recommended), “rsa-sha2-256”, and
“rsa-sha2-512” (the default).
-U When used in combination with-sor-Y sign, this option
indicates that a CA key resides in a ssh-agent(1). See the
CERTIFICATES section for more information.
-u Update a KRL. When specified with-k, keys listed via the
command line are added to the existing KRL rather than a
new KRL being created.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval.
The start time may be specified as:
•The string “always” to indicate the certificate has no
specified start time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time before the current system time
consisting of a minus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:
•The string “forever” to indicate the certificate has no
specified end time.
•A date or time in the system time zone formatted as
YYYYMMDD or YYYYMMDDHHMM[SS].
•A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
•A relative time after the current system time
consisting of a plus sign followed by an interval in
the format described in the TIME FORMATS section of
sshd_config(5).
•A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as
a hexadecimal number beginning with “0x”.
For example:
+52w1d Valid from now to 52 weeks and one day from now.
-4w:+4w
Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
January 1st, 2011.
20100101123000Z:20110101123000Z
Similar, but interpreted in the UTC time zone
rather than the system time zone.
-1d:20110101
Valid from yesterday to midnight, January 1st,
2011.
0x1:0x2000000000
Valid from roughly early 1970 to May 2033.
-1m:forever
Valid from one minute ago and never expiring.
-v Verbose mode. Causesssh-keygento print debugging
messages about its progress. This is helpful for debugging
moduli generation. Multiple-voptions increase the
verbosity. The maximum is 3.
-w provider
Specifies a path to a library that will be used when
creating FIDO authenticator-hosted keys, overriding the
default of using the internal USB HID support.
-Y find-principals
Find the principal(s) associated with the public key of a
signature, provided using the-sflag in an authorized
signers file provided using the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. If one or more matching principals are
found, they are returned on standard output.
-Y match-principals
Find principal matching the principal name provided using
the-Iflag in the authorized signers file specified using
the-fflag. If one or more matching principals are found,
they are returned on standard output.
-Y check-novalidate
Checks that a signature generated usingssh-keygen -Y sign
has a valid structure. This does not validate if a
signature comes from an authorized signer. When testing a
signature,ssh-keygenaccepts a message on standard input
and a signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag. Successful testing of the signature is signalled by
ssh-keygenreturning a zero exit status.
-Y sign
Cryptographically sign a file or some data using a SSH key.
When signing,ssh-keygenaccepts zero or more files to sign
on the command-line - if no files are specified then
ssh-keygen will sign data presented on standard input.
Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the-foption
and may refer to either a private key, or a public key with
the private half available via ssh-agent(1). An additional
signature namespace, used to prevent signature confusion
across different domains of use (e.g. file signing vs email
signing) must be provided via the-nflag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN
pattern to generate unambiguous namespaces.
-Y verify
Request to verify a signature generated usingssh-keygen -Ysignas described above. When verifying a signature,
ssh-keygenaccepts a message on standard input and a
signature namespace using-n. A file containing the
corresponding signature must also be supplied using the-s
flag, along with the identity of the signer using-Iand a
list of allowed signers via the-fflag. The format of the
allowed signers file is documented in theALLOWED SIGNERS
section below. A file containing revoked keys can be
passed using the-rflag. The revocation file may be a KRL
or a one-per-line list of public keys. Successful
verification by an authorized signer is signalled by
ssh-keygenreturning a zero exit status.
-y This option will read a private OpenSSH format file and
print an OpenSSH public key to stdout.
-Z cipher
Specifies the cipher to use for encryption when writing an
OpenSSH-format private key file. The list of available
ciphers may be obtained using "ssh -Q cipher". The default
is “aes256-ctr”.
-z serial_number
Specifies a serial number to be embedded in the certificate
to distinguish this certificate from others from the same
CA. If theserial_number is prefixed with a ‘+’ character,
then the serial number will be incremented for each
certificate signed on a single command-line. The default
serial number is zero.
When generating a KRL, the-zflag is used to specify a KRL
version number.
ssh 폴더 확인하기
1.
.ssh 경로에서 생성해 놓은 키가 있는지 확인한다.
ls -al ~/.ssh 2.
폴더가 없는경우 생성해주면 된다.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.sshssh 키 생성하기
1.
아래의 명령어를 입력하여 생성해준다.
ssh-keygen -t rsa -b 4096 -C "yourEmail@example.com" -f <filename.pem>다음 문구가 나오면, 키를 사용할때 쓸 비밀번호를 입력한다. 만약 비밀번호를 쓰기 싫다면 엔터를 친다.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:1.
아래와 같이 문구가 뜨면 생성된 것이다.
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qYWyFlIUh/DxwRyzRj961ymIFyhgKchwpAy10YJcIIm your_email@example.com
The key's randomart image is:
+---[RSA 4096]----+
| =+. . o |
| +.= E = . |
| o + * * . |
| . * * o |
| .. o=..S+ |
|o .o =+.o |
| *. o... . |
|o=+..o |
|=o+++.o. |
+----[SHA256]-----+
1.
실수로 비밀번호를 생성한 경우 아래의 명령어를 통해서 다시 설정해 줄 수 있다.
ssh-keygen -p1.
아래의 파일들이 생성된 것을 확인할 수 있다.
authorized_keys - id_rsa.pub 키의 값을 저장 한다.
id_rsa - 개인키, 타인에게 노출되면 안되는 private key 이다. 본인의 컴퓨터 내부에 저장하게 되어 있으며, 이 Private Key를 통해 암호화된 메시지를 복호화 할 수 있다.
id_rsa.pub - public key, 공개되어도 비교적 안전한 Key이다. Public Key를 통해 메시지를 전송하기 전 암호화를 하게 된다. - Public Key로는 복호화는 불가능 하다. - 접속하려는 Remote Machine의 authorized_keys에 입력하여 사용한다.