Ssh-keygen detailed

Source: Internet
Author: User
Tags modulus ssh server

First, a Google Wiki for the interpretation of SSH key, the corresponding connection is: Https:// (%e7%ae%80%e4%bd%93%e4%b8%ad%e6 %96%87), here say a digression, Google is really better than hundred * degrees!!!

SSH key pair allows you to easily log in to the SSH server without entering a password. Because you do not have to send your password to the network, the SSH key pair is considered to be a more secure way. Plus the use of passphrase (passphrase), security will be a higher level. At the same time, we can use the SSH agent to help us remember the passphrase, and we don't need to remember each key pair's passphrase to relieve our burden.

SSH key pairs always appear double, a public key, a private key. The public key is free to be placed on the SSH server you need to connect to, and the private key must be securely stored properly.

The so-called "public key Login" principle is simple, that is, the user stores their own public key on the remote host. When logged in, the remote host sends a random string to the user, which is encrypted with his or her private key and then sent back. The remote host decrypts with a pre-stored public key and, if successful, proves that the user is trustworthy, allowing the login shell to be logged in and no longer requiring a password. This way, we can guarantee the security of the entire login process and will not be attacked by the man-in-the-middle. See the rest of the content:

The following is an analysis of Ssh-keygen:

The Ssh-keygen supports two encryption modes: RSA and DSA, and the parameters are resolved as follows:

The key type can be specified with the-t option. If not specified, the RSA key for SSH-2 is generated by default.
Ssh-keygen can also be used to generate prime modulus used in Diffie-hellman Group Exchange (Dh-gex).
If you want to use RSA or DSA authentication, you should run this program at least once,
Create the required keys for authentication in ~/.ssh/identity, ~/.SSH/ID_DSA, or ~/.ssh/id_rsa files.
In addition, the system administrator can also use it to generate the host key. Typically, this program generates a key pair and requires that a file be specified to hold the private key, while the public key is stored in a file with the same name appended with the ". Pub" suffix.
The program also requires the input of a cipher string (passphrase), which indicates that there is no passphrase (the secret of the master key must be empty). The Passphrase and password (password) are very similar, but the secret word can be a sentence with words, punctuation marks, numbers, spaces, or any character you want. Good secret words to more than 30 characters, difficult to guess, by the size of letters, letters, numbers, non-letter mixed composition. The passphrase can be modified with the-P option. The lost passphrase cannot be restored. If the passphrase is lost or forgotten, the user must generate a new key and then distribute the corresponding public key to other machines.
The RSA1 key file has a "comment" field that allows the user to identify the key, indicate the purpose of the key, or other useful information.
When creating the key, the comment domain is initialized to "[email protected]" and can be modified later with the-C option.
After the key is generated, the following command describes how the key is disposed and activated. The available options are:
-A trials
The number of basic tests that need to be performed when using-T to safely filter the Dh-gex candidate primes.
-B Displays the bubblebabble summary for the specified public/private key file.
-B Bits
Specifies the key length. For RSA keys, the minimum requirement is 768 bits, which is 2048 bits by default. The DSA key must be exactly 1024 bits (required by the FIPS 186-2 standard).
-C Comment
Provide a new comment
-C requires that comments in the private key and public key file be modified. This option only supports RSA1 keys.
The program will prompt for a private key file name, a passphrase (if present), and a new comment.
-D Reader
Download the RSA public key stored in the smart card reader.
-e reads the private key or public key file of the OpenSSH and is displayed on the stdout in the RFC 4716 SSH public key file format.
This option enables you to output keys for multiple commercial versions of SSH.
-F hostname
Searches for the specified hostname in the known_hosts file and lists all occurrences.
This option is primarily used to find hashed hostname/IP addresses, and can also be used with the-H option to print the hash value of the public key found.
-F filename
Specifies the key file name.
-G output_file
Generates a candidate prime number for Dh-gex. These primes must be safely filtered using the-t option before use.
-G uses a common DNS format when printing fingerprint resource records using-R.
-h hashes the known_hosts file. This replaces all host name/IP addresses in the file with the corresponding hash values.
The contents of the original file will be saved after an ". old" suffix is added. These hash values can only be used by SSH and sshd.
This option does not modify an already hashed hostname/IP address, so it can be used safely on files that have been hashed by some public key.
-I reads the unencrypted SSH-2-compatible private key/public key file, and then displays the OpenSSH-compatible private key/public key in stdout.
This option is primarily used to import keys from multiple commercial versions of SSH.
-L Displays the thumbprint data of the public key file. It also supports RSA1 's private key.
For RSA and DSA keys, the corresponding public key file is looked up and its thumbprint data is displayed.
-M memory
Specifies the maximum memory usage (in megabytes) when generating the Dh-gexs candidate Prime.
-N New_passphrase
Provide a new passphrase.
-P Passphrase
Provide (old) secret words.
-P requires changing the passphrase of a private key file without rebuilding the private key. The program will prompt for the private key file name, the original passphrase, and two input Xinmi language.
-Q Quiet mode. Used to create a new key in/ETC/RC.
-R hostname
Removes all keys belonging to hostname from the known_hosts file.
This option is primarily used to remove the key from the hashed host (see-H option).
-R hostname
Prints the SSHFP thumbprint resource record for the public key file named hostname.
-S Start
Specifies the starting point (16 binary) when generating the Dh-gex candidate modulus.
-T Output_file
Tests the security of the Diffie-hellman Group Exchange candidate prime number (generated by the-G option).
-T type
Specifies the type of key to create. Can be used: "RSA1" (SSH-1) "RSA" (SSH-2) "DSA" (SSH-2)
-U Reader
Upload the existing RSA private key to the smart card reader
-v Verbose mode. The Ssh-keygen will output detailed debugging information for the processing process. Often used in the production of debug modulus.
Reusing multiple-v options will increase the verbosity of the information (up to 3 times).
-W Generator
Specifies the generator that you want to use when testing candidate modulus for Dh-gex
-Y reads the public key file in the OpenSSH proprietary format and displays the OpenSSH public key on the stdout.
Modulus generation
Ssh-keygen can generate groups for the Diffie-hellman Group Exchange (dh-gex) protocol.
The build process is divided into two steps:
First, some candidate primes are generated using a fast and memory-intensive method. These primes are then tested for suitability (consuming more CPU).
You can use the-G option to generate a candidate prime number, using the-B option to make its digits. For example:
# SSH-KEYGEN-G Moduli-2048.candidates-b 2048
The default is to search for primes from a random point in the specified number of digits, but you can use the-S option to specify this random point (16 binary).
After generating a set of candidates, the next step is to use the-t option for adaptive testing.
At this point Ssh-keygen will read the candidate prime number from stdin (or read a file via the-F option), for example:
# ssh-keygen-t Moduli-2048-f moduli-2048.candidates
Each candidate prime number is passed through 100 basic tests (which can be modified with the-a option) by default.
The value of DH generator is automatically selected, but you can also force the designation with the-w option. Valid values can be: 2, 3, 5
After the screening of DH groups can be stored in the/etc/ssh/moduli inside.
It is important that the file must include a modulus of varying lengths, and that both parties share the same modulus.
The user's default RSA1 authentication private key (SSH-1). The permissions for this file should be limited to "600" at least.
The key can be generated by specifying a passphrase to encrypt the private key (3DES). This file will be read at the time of login.
The user's default RSA1 authentication public key (SSH-1). This file is not confidential.
The contents of this file should be added to the ~/.ssh/authorized_keys file for all RSA1 target hosts.
The user's default DSA authentication private key (SSH-2). The permissions for this file should be limited to "600" at least.
The key can be generated by specifying a passphrase to encrypt the private key (3DES). This file will be read at the time of login.
The user's default DSA authentication public key (SSH-2). This file is not confidential.
The contents of this file should be added to the ~/.ssh/authorized_keys file of all DSA target hosts.
The user's default RSA authentication private key (SSH-2). The permissions for this file should be limited to "600" at least.
The key can be generated by specifying a passphrase to encrypt the private key (3DES). This file will be read at the time of login.
The user's default RSA authentication public key (SSH-2). This file is not confidential.
The contents of this file should be added to the ~/.ssh/authorized_keys file of all RSA target hosts.
Contains the Diffie-hellman groups for Dh-gex.

This article refers to other people's articles, if there is infringement, please contact me: [Email protected]

Ssh-keygen detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.