简体繁体 English

关于Linux上的SSH密钥感到困惑

[英]Confused regarding ssh keys on linux

原文 2014-03-08 04:00:39 0 2 linux/ ssh/ key

I have few doubts regarding using private/public key on linux. 对于在Linux上使用私钥/公钥，我几乎没有疑问。

Suppose i have two linux boxes A and B . 假设我有两个Linux机器A和B

I want to use password less logins to B from any computer. 我想使用少密码从任何计算机登录到B

so on A i did this 所以在A我做到了

ssh-gen -t rsa and it made two files ssh-gen -t rsa ，它制作了两个文件

id_rsa and id_rsa.pub id_rsa和id_rsa.pub

Then i copied id_rsa.pub to B ~/.ssh/A_id_rsa.pub and then 然后我复制id_rsa.pub到B ~/.ssh/A_id_rsa.pub然后

cat A_id_rsa.pub >> authorized_keys

Now i have these questions 现在我有这些问题

Suppose i have another computer C where i also want to have passwordless login but i want to use key phrase to protect the private key . 假设我有一台计算机C ，我也想进行无密码登录，但是我想使用key phrase来保护private key 。 so can i generate another key using ssh-gen -t rsa with different name and use that or i have to delete the previous key 所以我可以使用其他名称的ssh-gen -t rsa生成另一个密钥并使用该密钥，还是我必须删除前一个密钥
The other thing is for password less logins do need to do anything with keys from B to A or its always from A to B 另一件事是密码少，登录确实需要使用从B到A keys或总是从A到B keys进行任何操作
So the private key will always stay on host computer only? 因此， private key将始终仅保留在主机上吗？ i have seen that AWS gives the private key for login. 我已经看到AWS提供了用于登录的私钥。 then why is that. 那为什么呢 Beuase for putting A public key to B someone needs to access B . Beuase用于把A公钥B的人需要访问B 。 which is not possible for first time. 这是第一次不可能。 so does it mean we can login with either public key or private key 这是否意味着我们可以使用公钥或私钥登录

2 个解决方案

Yes, you can generate a key pair on C and do the same that you did for A: 是的，您可以在C上生成密钥对，并执行与A相同的操作：
cat C_id_rsa.pub >> authorized_keys 猫C_id_rsa.pub >> authorized_keys
The keys will only allow logins from A to B. 这些键仅允许从A登录到B。
Yes the private key will stay on the host computer. 是的，私钥将保留在主机上。 I believe AWS automatically puts the public key on computer B while it creates the virtual box. 我相信AWS在创建虚拟盒子时会自动将公钥放置在计算机B上。

In a quick line or two: 一两行：

The keys somewhat work like (very roughly): you need the public key to decrypt what is encrypted by private key and vice-versa. 密钥的工作方式类似于（非常粗略）：您需要公共密钥来解密由私钥加密的内容，反之亦然。 To be more precise, http://en.wikipedia.org/wiki/Public-key_cryptography has way better information to start with. 更准确地说， http：//en.wikipedia.org/wiki/Public-key_cryptography提供了更好的入门信息。

So to answer the questions: The private key is not normally tied to a computer. 因此回答以下问题：私钥通常不绑定到计算机。 You could copy the private key from, say A to C and could login by using it from C. 您可以将私钥从“ A”复制到“ C”，也可以从C使用它进行登录。

You could generate multiple keys on a single host, one key-pair for each set of hosts. 您可以在一台主机上生成多个密钥，每组主机一个密钥对。 Similarly, you could generate keys from multiple hosts, each host publishing it's key to the target computer's (B in this example) 'authorized_keys' file. 同样，您可以从多个主机生成密钥，每个主机都将其密钥发布到目标计算机的“ authorized_keys”文件（在此示例中为B）。

Ideally, the private key should be as secret as possible. 理想情况下，私钥应尽可能地保密。 While the SSH or key-management would not force having the key on one computer, it should be limited to a single system as a best practice. 尽管SSH或密钥管理不会强制将密钥存储在一台计算机上，但作为最佳实践，它应该限于单个系统。 Having said that, as far I know there is really nothing that prevents copying the private key around, say for backup or migration to a new system. 话虽这么说，据我所知，实际上并没有什么可以阻止私钥的复制，例如备份或迁移到新系统。 In other words, the private key file is like the password, it could be literally used from any system to login. 换句话说，私钥文件就像密码一样，可以从任何系统实际用于登录。