19. CA(認証局)の鍵ペアを作る
Copyright (c) 2014 GMO Internet, Inc. All Rights Reserved.
手順(1)
[hiro@MBP]# ssh-keygen -f ca.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ca.key.
Your public key has been saved in ca.key.pub.
The key fingerprint is:
d8:c3:3e:0b:0e:e3:1d:de:f5:76:18:6a:76:2e:7d:80 hiro@
The key's randomart image is:
(中略)
[hiro@MBP]# ls -l
total 16
-rw------- 1 hiro staff 1675 10 22 11:26 ca.key
-rw-r--r-- 1 hiro staff 416 10 22 11:26 ca.key.pub
20. 手順(2) ユーザの鍵ペアを作る
[hiro@MBP]# ssh-keygen -f user.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in user.key.
Your public key has been saved in user.key.pub.
The key fingerprint is:
f6:fa:6d:a7:3c:10:f7:56:05:4d:d6:f8:d0:b8:19:e9 hiro@
The key's randomart image is:
(中略)
[hiro@MBP]# ls -l
total 32
-rw------- 1 hiro staff 1675 10 22 11:26 ca.key
-rw-r--r-- 1 hiro staff 416 10 22 11:26 ca.key.pub
-rw------- 1 hiro staff 1675 10 22 11:35 user.key
-rw-r--r-- 1 hiro staff 416 10 22 11:35 user.key.pub
Copyright (c) 2014 GMO Internet, Inc. All Rights Reserved.
21. 手順(3) ユーザの公開鍵にCA鍵で署名
[hiro@MBP]# ssh-keygen -s ca.key -I user_root -n root user.key.pub
Signed user key user.key-cert.pub: id "user_root" serial 0 for root valid from 2014-10-
22T11:58:00 to 2014-10-23T11:59:53
[hiro@MBP]# ls -l
total 40
-rw------- 1 hiro staff 1675 10 22 11:26 ca.key
-rw-r--r-- 1 hiro staff 416 10 22 11:26 ca.key.pub
-rw------- 1 hiro staff 1675 10 22 11:35 user.key
-rw-r--r-- 1 hiro staff 1518 10 22 12:01 user.key-cert.pub
-rw-r--r-- 1 hiro staff 416 10 22 11:35 user.key.pub
• -s: 署名に使用する秘密鍵を指定。
• -I: 公開鍵に署名する際のSpecifyを指定。ログの記録名。
• -n: Principalの指定。ログイン可能なUNIXユーザ名を列挙。
Copyright (c) 2014 GMO Internet, Inc. All Rights Reserved.
←NEW!
22. 手順(4) ログインしてみよう
[hiro@MBP]# ssh -v -i ~/.ssh/user.key root@example.com
↓こんな表示が出るはず
debug1: Offering RSA-CERT public key: user.key
debug1: Server accepts key: pkalg ssh-rsa-cert-v01@openssh.com blen 1094
debug1: ssh_rsa_verify: signature correct
Copyright (c) 2014 GMO Internet, Inc. All Rights Reserved.
24. CentOS6はオプションが違う
• CentOS6.5に含まれるOpenSSH-5.3p1の
ssh-keygenコマンド
• Principalを設定する重要な-nオプションが、別
のオプションに割り当てられている。
(Extract public key from smartcard)
Copyright (c) 2014 GMO Internet, Inc. All Rights Reserved.