我正在关注这个教程要验证 SSH 服务器,理论上我应该使用创作服务器提供的私钥来签署 SSH 公钥,但我不明白该-I <key_id>选项的作用以及它应该具有什么值:
ssh-keygen -s server_ca -I host_sshserver -h -n sshserver.example.com /etc/ssh/ssh_host_rsa_key.pub
提前致谢。
答案1
摘录自man ssh-keygen:
-I certificate_identity
Specify the key identity when signing a public key. Please see the CERTIFICATES section for details.
CERTIFICATES
ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some
identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key. Clients or
servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys. Note that OpenSSH certifi‐
cates are a different, and much simpler, format to the X.509 certificates used in ssl(8).
ssh-keygen supports two types of certificates: user and host. User certificates authenticate users to servers, whereas host certificates authenticate
server hosts to users. To generate a user certificate:
$ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
The resultant certificate will be placed in /path/to/user_key-cert.pub. A host certificate requires the -h option:
$ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
The host certificate will be output to /path/to/host_key-cert.pub.
It is possible to sign using a CA key stored in a PKCS#11 token by providing the token library using -D and identifying the CA key by providing its pub‐
lic half as an argument to -s:
$ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
In all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication.
Certificates may be limited to be valid for a set of principal (user/host) names. By default, generated certificates are valid for all users or hosts.
To generate a certificate for a specified set of principals:
$ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub
Additional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may disable fea‐
tures of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command. For a list of
valid certificate options, see the documentation for the -O option above.
Finally, certificates may be defined with a validity lifetime. The -V option allows specification of certificate start and end times. A certificate
that is presented at a time outside this range will not be considered valid. By default, certificates are valid from UNIX Epoch to the distant future.
For certificates to be used for user or host authentication, the CA public key must be trusted by sshd(8) or ssh(1). Please refer to those manual pages
for details.
笔记:
在所有情况下,key_id 都是当证书用于身份验证时由服务器记录的“密钥标识符”。
从您的链接中可以看出:
-I:这是用于标识证书的名称。当证书用于身份验证时,它用于记录目的。
当使用证书进行身份验证时,这些证书具有用于识别特定身份验证证书的密钥。这是您喜欢的任何名称,我可以称之为我的my-new-cert-id,证书将用该名称构建id并用于访问我的身份验证证书。
请注意,在该链接中您提供了两个不同的-I名称,因此请选择您喜欢的名称。
的角色-I:ssh-keygen 支持密钥签名以生成可用于用户或主机身份验证的证书。当您需要使用证书进行身份验证时使用。
的价值-I:: 任何你喜欢的名字