好的,使用 来创建 ssh 对很容易ssh-keygen,但是如何ssh-keygen使用允许我使用 AES-256-CBC 的 ssh 对生成?
默认的始终是 AES-128-CBC,我已经尝试了不同的参数,但它们的功能并不像:
ssh-keygen -b 4096 -t rsa -Z aes-256-cbc
但他们没有工作,知道怎么做吗?
小智 7
你不能生成所使用的密钥aes时使用ssh-keygen。由于aes是对称密码,因此其密钥不是成对出现的。通信的两端使用相同的密钥。
ssh-keygen 生成的密钥使用公钥加密进行身份验证。从ssh-keygen手册:
ssh-keygen generates, manages and converts authentication keys for
ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
and DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
从ssh手册:
Public key authentication works as follows: The scheme is based on
public-key cryptography, using cryptosystems where encryption and
decryption are done using separate keys, and it is unfeasible to derive
the decryption key from the encryption key. The idea is that each user
creates a public/private key pair for authentication purposes. The
server knows the public key, and only the user knows the private key.
ssh implements public key authentication protocol automatically, using
one of the DSA, ECDSA, Ed25519 or RSA algorithms.
公钥密码学的问题在于它非常慢。对称密钥加密要快得多,用于ssh实际数据传输。用于对称加密的密钥是在建立连接后即时生成的(引自sshd手册):
For protocol 2, forward security is provided through a Diffie-Hellman key
agreement. This key agreement results in a shared session key. The rest
of the session is encrypted using a symmetric cipher, currently 128-bit
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
client selects the encryption algorithm to use from those offered by the
server. Additionally, session integrity is provided through a
cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512).
如果您想使用,aes256-cbc您需要使用 -c 选项在命令行上指定它,其最基本的形式如下所示:
$ ssh -c aes256-cbc user@host
您还可以ssh_config使用逗号分隔的列表在 中指定首选密码。然而,不建议修改默认值,因为这最好留给专家。OpenSSH 开发人员在选择默认值时有很多考虑因素和多年的经验。