ssh-keygen まとめ

はじめに

ssh-keygen のよく使うオプションをまとめてみた。

作成

オプションなし

特にオプションなしでも作れる。この場合、OpenSSHのバージョン依存で bitや鍵の種類が決まるのであまりお勧めはしない。

[centos@ip-172-31-3-100 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/centos/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/centos/.ssh/id_rsa.
Your public key has been saved in /home/centos/.ssh/id_rsa.pub.
The key fingerprint is:
fb:f2:a0:05:3b:62:cf:cf:42:3a:87:c6:16:53:e4:a1 centos@ip-172-31-3-100
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|      o          |
|     + .         |
|    E o          |
|     .. S        |
|    o .o .       |
|   .o*o +        |
|   .B+o=.o       |
|   o o+oooo      |
+-----------------+
[centos@ip-172-31-3-100 ~]$

bit 指定

-b でbit 指定。今なら 2048bit 以上が推奨。

[centos@ip-172-31-3-100 ~]$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/centos/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/centos/.ssh/id_rsa.
Your public key has been saved in /home/centos/.ssh/id_rsa.pub.
The key fingerprint is:
da:02:a4:c1:7b:2b:d7:f7:19:1c:15:7f:bf:00:79:06 centos@ip-172-31-3-100
The key's randomart image is:
+--[ RSA 4096]----+
|           E.    |
| .          oo   |
|  o .      o.o. .|
|   =       .+  ..|
|  o o   S .  .  .|
|   . + o . .  . .|
|  . o + o o    . |
|   o   o . o     |
|          o      |
+-----------------+
[centos@ip-172-31-3-100 ~]$

鍵の種類の指定

SSH1 しか使えないような環境であれば、rsa1 を指定*1。それ以外であれば、rsa で問題なし。

[centos@ip-172-31-3-100 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/centos/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/centos/.ssh/id_rsa.
Your public key has been saved in /home/centos/.ssh/id_rsa.pub.
The key fingerprint is:
68:d2:72:a3:65:33:dd:16:1f:59:82:a2:5c:33:f0:a6 centos@ip-172-31-3-100
The key's randomart image is:
+--[ RSA 2048]----+
|      ..   .. .  |
|       .= .  +   |
|     . oo+. o    |
|     .o= . o .   |
|    o E S o .    |
|     O + .       |
|    .            |
|                 |
|                 |
+-----------------+
[centos@ip-172-31-3-100 ~]$

ワンライナー

-q で標準出力無効、-f で鍵の保存場所、-N でパスフレーズを指定出来る。

[centos@ip-172-31-3-100 ~]$ ssh-keygen -q -f /home/centos/.ssh/id_rsa -N hogehoge
[centos@ip-172-31-3-100 ~]$

管理

パスワード変更

既存の鍵ファイルのパスワード変更。-f で古い秘密鍵ファイルを指定していますが、指定なければ対話式でファイルパスを入力します。

[centos@ip-172-31-3-100 ~]$ ssh-keygen -p -f /home/centos/.ssh/id_rsa.
Enter old passphrase:
Key has comment '/home/centos/.ssh/id_rsa.'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
[centos@ip-172-31-3-100 ~]$

公開鍵の再生成

秘密鍵から公開鍵を再生成する。-f オプションがなくした場合はファイルパスを聞かれます。

[centos@ip-172-31-3-100 ~]$ ssh-keygen -y -f /home/centos/.ssh/id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtzibgUiUJs/MOO/Jl1Xt3ZcEhcHdQWJ8pv4WV1/WYXTMZYS7pEE+PmnegefV3Nf/3wgRePJf7Ac2myheTeFe8hnzw6UT8Hzs8Ijg8XB0YKeUFh2vSKnK1cTTW6ZgA9GA3KEm1EMqakgXCMgQjdCtM2Vn+eTIUvY7WHOyzrOrRmP+l4OWOOc6Y7tagiEdMAymcW5DQl4FU0kk7HQBHTC05naw1Rz7DkcYVdZ74od5lfMlqgfAlTZwqOIPSt5y7paxbRzhjci1CqEyf8JAjvH7AiPudpDTR/eT4hZtmlMuM8XM4kZDMhBu5Y9umzdyuIpVwMOVJecFBXEvO0xMBMdPOQ==
[centos@ip-172-31-3-100 ~]$

まとめ

鍵生成程度なら、TereTermやPutty単体でも作成出来る。 もっと知りたい人は、man ssh-keygen で!

*1:そもそも、SSH1は脆弱性があるのでSSH2にすべき