“UbuntuHelp:GPGsigningforSSHHowTo”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
| (未显示同一用户的5个中间版本) | |||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/GPGsigningforSSHHowTo}} | {{From|https://help.ubuntu.com/community/GPGsigningforSSHHowTo}} | ||
{{Languages|UbuntuHelp:GPGsigningforSSHHowTo}} | {{Languages|UbuntuHelp:GPGsigningforSSHHowTo}} | ||
| − | === | + | <<Include(Tag/ContentCleanup)>> |
| − | + | === Using GPG To Sign SSH Keys === | |
| − | Often to access a remote server by SSH the administrator of the server will ask for your public | + | Often to access a remote server by SSH the administrator of the server will ask for your public ssh_rsa key so that he knows it is really your computer that is trying to access his server. The administrator may ask you to first sign the ssh_rsa key using GPG so that he knows the ssh_rsa key comes from you and has not been intercepted. This guide will show you how to generate your SSH and GPG keys and then how to use them to perform a secure transaction between two parties. |
| − | he knows it is really your computer that is trying to access his server | + | === Ubuntu Releases === |
| − | he knows the | + | This guide should work on any Gnu/Linux operating system. This guide assumes you have already installed <code><nowiki>openssh-client</nowiki></code> and <code><nowiki>gnupg</nowiki></code>. |
| − | + | === Generate The SSH RSA Keys === | |
| − | This guide will show you how to generate your | + | Run all commands as a regular user. |
| − | how to use them to perform a secure transaction between two | + | |
| − | This guide should work on any Gnu/Linux operating system. | + | |
| − | This guide assumes you have already installed <code><nowiki> | + | |
| − | + | ||
| − | === Generate | + | |
| − | + | ||
| − | + | ||
<pre><nowiki> | <pre><nowiki> | ||
| − | # ssh-keygen | + | # ssh-keygen -t rsa |
</nowiki></pre> | </nowiki></pre> | ||
| − | This will create your public and private | + | This will create your public and private SSH-RSA keys. The public key that the administraitor needs should be located here: ~/.ssh/id_rsa.pub. |
| − | + | === Generate The GPG Keys === | |
| − | + | This is the output from generating a new key. | |
| − | === Generate | + | |
| − | + | ||
| − | + | ||
<pre><nowiki> | <pre><nowiki> | ||
| − | # gpg --gen-key | + | # gpg --cert-digest-algo SHA256 --default-preference-list "h10 h8 h9 h11 s9 s8 s7 s3 z2 z3 z1 z0" --gen-key |
| − | gpg (GnuPG) 1. | + | gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc. |
This program comes with ABSOLUTELY NO WARRANTY. | This program comes with ABSOLUTELY NO WARRANTY. | ||
This is free software, and you are welcome to redistribute it | This is free software, and you are welcome to redistribute it | ||
under certain conditions. See the file COPYING for details. | under certain conditions. See the file COPYING for details. | ||
| − | |||
Please select what kind of key you want: | Please select what kind of key you want: | ||
| − | + | (1) DSA and Elgamal (default) | |
| − | + | (2) DSA (sign only) | |
| − | (2) DSA (sign only) | + | (5) RSA (sign only) |
| − | ( | + | Your selection? 5 |
| − | Your selection? | + | RSA keys may be between 1024 and 4096 bits long. |
| − | + | What keysize do you want? (2048) | |
| − | + | Requested keysize is 2048 bits | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | What keysize do you want? ( | + | |
| − | + | ||
| − | + | ||
Please specify how long the key should be valid. | Please specify how long the key should be valid. | ||
| − | 0 = key does not expire | + | 0 = key does not expire |
| − | <n> = key expires in n days | + | <n> = key expires in n days |
| − | <n>w = key expires in n weeks | + | <n>w = key expires in n weeks |
| − | <n>m = key expires in n months | + | <n>m = key expires in n months |
| − | <n>y = key expires in n years | + | <n>y = key expires in n years |
| − | + | Key is valid for? (0) | |
| − | + | ||
Key does not expire at all | Key does not expire at all | ||
Is this correct (y/n)? y | Is this correct (y/n)? y | ||
| − | You need a | + | You need a user ID to identify your key; the software constructs the user ID |
| − | from Real Name, Comment and Email Address in this form: | + | from the Real Name, Comment and Email Address in this form: |
| − | "Heinrich Heine (Der Dichter) <[email protected]>" | + | "Heinrich Heine (Der Dichter) <[email protected]>" |
Real name: mr bo jangles | Real name: mr bo jangles | ||
| 第65行: | 第47行: | ||
Comment: comment | Comment: comment | ||
You selected this USER-ID: | You selected this USER-ID: | ||
| − | "mr bo jangles (comment) <[email protected]>" | + | "mr bo jangles (comment) <[email protected]>" |
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O | Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O | ||
| 第85行: | 第67行: | ||
key marked as ultimately trusted. | key marked as ultimately trusted. | ||
| − | + | pub 2048R/5F6D1662 2009-05-10 mr bo jangles (comment) <[email protected]> | |
| − | Key fingerprint = D1BC 6822 0ACB 0025 8902 6DE7 87EA 4324 5F6D 1662 | + | Key fingerprint = D1BC 6822 0ACB 0025 8902 6DE7 87EA 4324 5F6D 1662 |
| − | + | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | Your public and private GPG keys should now be located in your ~/.gnupg directory. | |
| − | Your | + | Put your private key on a cd-rom or a floppy disc or somewhere very safe. Do not lose it or you will be unable to sign any documents. Never give it to anyone under any circumstances. If you have given anyone your private key then you must revoke the key immediately and generate a new set. |
| − | + | ||
| − | Put your | + | |
| − | to sign any documents. Never | + | |
| − | + | ||
=== Exchange Public Keys === | === Exchange Public Keys === | ||
| − | + | It is good practice to put your public GPG key on a public key server where others can access it easily. [http://biglumber.com Biglumber.com] is a public key server. In order to put your public key on Biglumber you will first need to go though a verification process. | |
| − | It is good practice to put your | + | Go to [http://biglumber.com Biglumber.com] and put your public key on their server. |
| − | + | While you are at Biglumber you will need to find the public key of the administrator to whom you are planning to send your digitally signed and encrypted message. Once you have done that, you must then import the pubic key of that administrators into your keyring. | |
| − | Go to [http://biglumber.com | + | |
| − | + | ||
| − | While you are at | + | |
| − | + | ||
<pre><nowiki> | <pre><nowiki> | ||
# gpg --import Administrator.pub | # gpg --import Administrator.pub | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | + | Now get the Administrator's key ID, and your key ID as well: | |
| − | Now get the | + | |
<pre><nowiki> | <pre><nowiki> | ||
# gpg --list-keys | # gpg --list-keys | ||
pub 1024D/ABCABCAB 2005-03-26 Administrator_Email <[email protected]> | pub 1024D/ABCABCAB 2005-03-26 Administrator_Email <[email protected]> | ||
| − | + | pub 2048R/XYZXYZXY 2009-05-10 Your_Email_Address <[email protected]> | |
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Aministrator ID: ABCABCAB | Aministrator ID: ABCABCAB | ||
| − | |||
Your ID: XYZXYZXY | Your ID: XYZXYZXY | ||
| − | |||
=== Make a Secure Transaction === | === Make a Secure Transaction === | ||
| − | + | GPG will use your secret key (~/.gnupg/secring.gpg) to sign and encrypt your public ssh key (~/.ssh/id_rsa.pub). | |
| − | GPG will use your secret key (~/.gnupg/secring.gpg) to sign and | + | Only the administrator will be able to decrypt the file because you are also using his public key to encrypt it. |
| − | encrypt your public ssh key (~/.ssh/ | + | In turn, he will only be able to decrypt it if he has your public key on his key ring. |
| − | + | ||
| − | Only the | + | |
| − | + | ||
| − | In turn, he will only be able to decrypt it if he has | + | |
| − | + | ||
Sign the key: | Sign the key: | ||
<pre><nowiki> | <pre><nowiki> | ||
| − | # gpg -u XYZXYZXY -r ABCABCAB --armor --sign --encrypt ~/.ssh/ | + | # gpg -u XYZXYZXY -r ABCABCAB --armor --sign --encrypt ~/.ssh/id_rsa.pub |
</nowiki></pre> | </nowiki></pre> | ||
| − | + | Send the result (id_rsa.pub.gpg) to the administrator along with a link to where you keep your public key on [http://biglumber.com Biglumber]. He will verify the your information and then allow you to access his system by SSH. | |
| − | Send the result ( | + | In an ideal world you are only supposed to exchange public keys directly and in person. This way you know 100% that the public key truly belongs to the correct person. |
| − | where you keep your public key on [http://biglumber.com Biglumber]. He will verify the your information and then allow you to access his system by | + | |
| − | + | ||
| − | + | ||
| − | person | + | |
| − | correct person. | + | |
---- | ---- | ||
| − | |||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2009年11月17日 (二) 19:16的最新版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
<<Include(Tag/ContentCleanup)>>
目录
Using GPG To Sign SSH Keys
Often to access a remote server by SSH the administrator of the server will ask for your public ssh_rsa key so that he knows it is really your computer that is trying to access his server. The administrator may ask you to first sign the ssh_rsa key using GPG so that he knows the ssh_rsa key comes from you and has not been intercepted. This guide will show you how to generate your SSH and GPG keys and then how to use them to perform a secure transaction between two parties.
Ubuntu Releases
This guide should work on any Gnu/Linux operating system. This guide assumes you have already installed openssh-client and gnupg.
Generate The SSH RSA Keys
Run all commands as a regular user.
# ssh-keygen -t rsa
This will create your public and private SSH-RSA keys. The public key that the administraitor needs should be located here: ~/.ssh/id_rsa.pub.
Generate The GPG Keys
This is the output from generating a new key.
# gpg --cert-digest-algo SHA256 --default-preference-list "h10 h8 h9 h11 s9 s8 s7 s3 z2 z3 z1 z0" --gen-key
gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name: mr bo jangles
Email address: [email protected]
Comment: comment
You selected this USER-ID:
"mr bo jangles (comment) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
#-> passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++++++++++++.+++++++++++++++.+++++.++++++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++.++++++++++..+++++++++++++
public and secret key created and signed.
key marked as ultimately trusted.
pub 2048R/5F6D1662 2009-05-10 mr bo jangles (comment) <[email protected]>
Key fingerprint = D1BC 6822 0ACB 0025 8902 6DE7 87EA 4324 5F6D 1662
Your public and private GPG keys should now be located in your ~/.gnupg directory. Put your private key on a cd-rom or a floppy disc or somewhere very safe. Do not lose it or you will be unable to sign any documents. Never give it to anyone under any circumstances. If you have given anyone your private key then you must revoke the key immediately and generate a new set.
Exchange Public Keys
It is good practice to put your public GPG key on a public key server where others can access it easily. Biglumber.com is a public key server. In order to put your public key on Biglumber you will first need to go though a verification process. Go to Biglumber.com and put your public key on their server. While you are at Biglumber you will need to find the public key of the administrator to whom you are planning to send your digitally signed and encrypted message. Once you have done that, you must then import the pubic key of that administrators into your keyring.
# gpg --import Administrator.pub
Now get the Administrator's key ID, and your key ID as well:
# gpg --list-keys pub 1024D/ABCABCAB 2005-03-26 Administrator_Email <[email protected]> pub 2048R/XYZXYZXY 2009-05-10 Your_Email_Address <[email protected]>
Aministrator ID: ABCABCAB Your ID: XYZXYZXY
Make a Secure Transaction
GPG will use your secret key (~/.gnupg/secring.gpg) to sign and encrypt your public ssh key (~/.ssh/id_rsa.pub). Only the administrator will be able to decrypt the file because you are also using his public key to encrypt it. In turn, he will only be able to decrypt it if he has your public key on his key ring. Sign the key:
# gpg -u XYZXYZXY -r ABCABCAB --armor --sign --encrypt ~/.ssh/id_rsa.pub
Send the result (id_rsa.pub.gpg) to the administrator along with a link to where you keep your public key on Biglumber. He will verify the your information and then allow you to access his system by SSH. In an ideal world you are only supposed to exchange public keys directly and in person. This way you know 100% that the public key truly belongs to the correct person.
