1.2. 生成 SSH 密钥对

流程

1. 生成一个 ECDSA 密钥对：

   $ ssh-keygen -t ecdsa
   Generating public/private ecdsa key pair.
   Enter file in which to save the key (/home/<username>/.ssh/id_ecdsa):
   Enter passphrase (empty for no passphrase): <password>
   Enter same passphrase again: <password>
   Your identification has been saved in /home/<username>/.ssh/id_ecdsa.
   Your public key has been saved in /home/<username>/.ssh/id_ecdsa.pub.
   The key fingerprint is:
   SHA256:Q/x+qms4j7PCQ0qFd09iZEFHA+SqwBKRNaU72oZfaCI <username>@<localhost.example.com>
   The key's randomart image is:
   +---[ECDSA 256]---+
   |.oo..o=++        |
   |.. o .oo .       |
   |. .. o. o        |
   |....o.+...       |
   |o.oo.o +S .      |
   |.=.+.   .o       |
   |E.*+.  .  . .    |
   |.=..+ +..  o     |
   |  .  oo*+o.      |
   +----[SHA256]-----+

   Copy to Clipboard Toggle word wrap

   您还可以使用没有任何参数的 ssh-keygen 命令生成一个 RSA 密钥对，或通过输入 ssh-keygen -t ed25519 命令生成一个 Ed25519 密钥对。请注意，Ed25519 算法不符合 FIPS-140，OpenSSH 在 FIPS 模式下无法使用 Ed25519 密钥。

2. 将公钥复制到远程机器上：

   $ ssh-copy-id <username>@<ssh-server-example.com>
   /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
   <username>@<ssh-server-example.com>'s password:
   …
   Number of key(s) added: 1
   
   Now try logging into the machine, with: "ssh '<username>@<ssh-server-example.com>'" and check to make sure that only the key(s) you wanted were added.

   Copy to Clipboard Toggle word wrap

   将 <username>@<ssh-server-example.com> 替换为您的凭证。

   如果您没有在会话中使用 ssh-agent 程序，上一个命令会复制最新修改的 ~/.ssh/id*.pub 公钥。要指定另一个公钥文件，或在 ssh-agent 内存中缓存的密钥优先选择文件中的密钥，使用带有 -i 选项的 ssh-copy-id 命令。