Openssh
-I certificate_identity ssh-keygen 選項是乾什麼用的?
我正在按照本教程驗證 SSH 伺服器,理論上我應該使用創作伺服器提供的私鑰來簽署 SSH 發布密鑰,但我不明白該
-I <key_id>選項的作用以及它應該具有什麼值:ssh-keygen -s server_ca -I host_sshserver -h -n sshserver.example.com /etc/ssh/ssh_host_rsa_key.pub提前致謝。
節選
man ssh-keygen:-I certificate_identity Specify the key identity when signing a public key. Please see the CERTIFICATES section for details. CERTIFICATES ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key. Clients or servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys. Note that OpenSSH certifi‐ cates are a different, and much simpler, format to the X.509 certificates used in ssl(8). ssh-keygen supports two types of certificates: user and host. User certificates authenticate users to servers, whereas host certificates authenticate server hosts to users. To generate a user certificate: $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub The resultant certificate will be placed in /path/to/user_key-cert.pub. A host certificate requires the -h option: $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub The host certificate will be output to /path/to/host_key-cert.pub. It is possible to sign using a CA key stored in a PKCS#11 token by providing the token library using -D and identifying the CA key by providing its pub‐ lic half as an argument to -s: $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub In all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication. Certificates may be limited to be valid for a set of principal (user/host) names. By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals: $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub Additional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may disable fea‐ tures of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command. For a list of valid certificate options, see the documentation for the -O option above. Finally, certificates may be defined with a validity lifetime. The -V option allows specification of certificate start and end times. A certificate that is presented at a time outside this range will not be considered valid. By default, certificates are valid from UNIX Epoch to the distant future. For certificates to be used for user or host authentication, the CA public key must be trusted by sshd(8) or ssh(1). Please refer to those manual pages for details.筆記:
在所有情況下,key_id 都是伺服器在證書用於身份驗證時記錄的“密鑰標識符”。
從您的連結中可以看出:
-I:這是用於標識證書的名稱。當證書用於身份驗證時,它用於記錄目的。
使用證書進行身份驗證時,這些證書具有標識特定身份驗證證書的密鑰。這可以給我任何你喜歡的名字,我可以稱之為我
my-new-cert-id的,證書將用它來建構id並用於訪問我的身份驗證證書。請注意,在該連結中,您提供了兩個不同
-I的名稱,因此請選擇您喜歡的名稱。作用
-I: ssh-keygen 支持對密鑰進行簽名以生成可用於使用者或主機身份驗證的證書。當您需要使用證書進行身份驗證時使用。值
-I: : 任何你喜歡的名字