OpenSSH 密钥管理
适用于 Windows Server 2019、Windows 10、Windows Server 2022
生成主机密钥对
C:\Users\Jerry>ssh-keygen -t ed25519 -C "HomeDesktop-1364812552@qq.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/c/Users/Jerry/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /c/Users/Jerry/.ssh/id_ed25519
Your public key has been saved in /c/Users/Jerry/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:ve0ofnyCUupl8D2z1X8PInF8qN9xjzxnI7AZTQa1DoI HomeDesktop-1364812552@qq.com
The key's randomart image is:
+--[ED25519 256]--+
| .. |
| . . . |
| E . ... |
| ...o+ |
| . S o B.. |
| o.. O + |
| o+oB O + .|
| ooo +%.=.B=|
| ..o.oooo =+B|
+----[SHA256]-----+
请记住,私钥文件等效于密码,应当采用与保护密码相同的方式来保护它。 为了实现此目的,请使用 ssh-agent 来将私钥安全地存储在与你的 Windows 登录关联的 Windows 安全上下文中。 为执行该操作,请以管理员身份启动 ssh-agent 服务并使用 ssh-add 来存储私钥。
# By default the ssh-agent service is disabled. Allow it to be manually started for the next step to work.
# Make sure you're running as an Administrator.
Get-Service ssh-agent | Set-Service -StartupType Manual
Get-Service ssh-agent | Set-Service -StartupType Automatic
# Start the service
Start-Service ssh-agent
# This should return a status of Running
Get-Service ssh-agent
# Now load your key files into ssh-agent
ssh-add ~\.ssh\id_ed25519
完成这些步骤后,每当从此客户端进行身份验证需要使用私钥时,ssh-agent 都会自动检索本地私钥,并将其传递到你的 SSH 客户端。
!warning 强烈建议你将私钥备份到一个安全位置,将其添加到 ssh-agent,然后将其从本地系统中删除。 如果使用了强算法(例如此示例中的 Ed25519),则无法从代理中检索私钥。 如果你失去了对私钥的访问权限,则必须在你与之交互的所有系统上创建一个新的密钥对并更新公钥。
部署公钥
若要使用上面创建的用户密钥,需要将公钥 (~.ssh\id_ed25519.pub) 的内容放置在服务器上的一个文本文件中,其名称和位置取决于用户帐户是本地管理员组的成员还是标准用户帐户。
ssh-copy-id command
jerry@jerry:~$ ssh-copy-id -i .ssh/id_rsa.pub dbtu@192.168.1.159
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
dbtu@192.168.1.159's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'dbtu@192.168.1.159'"
and check to make sure that only the key(s) you wanted were added.