- Linux Administration Cookbook
- Adam K. Dean
- 438字
- 2021-07-02 14:24:11
The public and private key files
As hinted at previously, what we've done here is create two files, one half of which can be freely passed around (the public half) and one half of which we keep safe somewhere else (the private half).
By default, these files are located in the home directory of your user, in the hidden .ssh folder:
[vagrant@centos1 ~]$ pwd
/home/vagrant
[vagrant@centos1 ~]$ ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc .ssh
[vagrant@centos1 ~]$ ls .ssh
authorized_keys id_ed25519 id_ed25519.pub id_rsa id_rsa.pub known_host
The public halves of our keys end in .pub, and the private halves don't have a file extension.
Let's take a look at each of the four files:
[vagrant@centos1 ~]$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9AFF0BD949B955DA3595262BB18E5BF7
n1K6zUfhIynq9dwRMAGlMuTU/7Ht3KgBuelsWy3mxJM+NxprFkhAV2cyEVhnJI+5
xgDkx7+6PcGVv/oQAH3pSICefZSJvHvnFLO+M7HKkcmdz9IYXlQC1gkeZwhS6708
<SNIP>
wTXVajpn0anc3TWDw78sZkLmoP5MEs14gJvyegmyLd8qAGvSmfXYNFgYh49hnX9E
vdAmtTJPqglcw0F1JVCOEevIWA/WoIkkTAgLuKvka5ZepKKnScwnRiAhKTVXCN3W
-----END RSA PRIVATE KEY-----
The private half of our RSA key is a file that's sensitive, and as we made it 4096 bits when we generated it, this file will be very long (hence my snip).
The public half of our RSA key is the file that's placed on remote machines. It is still affected by the bit-length we specified, though it's nowhere near as lengthy as the private half.
[vagrant@centos1 ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwR6+SAohzU9f1SAha634StlJaBGIZ+k5Rb6T6L4VqxHIfRwCV+uciXbkTg8+lxiP8whGYEiDxfPveqW1xf87JYlWTT3ZT3gd3pfxY1+IgRB7j5Ttd2RBCMeMYB9VJWLqib6K9oeHJyGzM39aJqE2AzxKxc+rXeXT16RlFxs7nDZwS9xV7Dai9LB/Jez0pT8pLFVD/QRsGw0uMjMMSjmKqxPrDpHzZ3OUymB5AdyVfts4JTZINSrWdejPR8G93pzH4S8ZYijhgpOnSuoyGhMnwAjwOJyNkkFOT1rKCuzpW33hr2c1pJSBPZTAx2/ZvB1He2/UweBF2VeQpSruQB7tXkQMeXSQBpe+/zMqOLD82vake3M8mqNpFJoVG3afr9RcCXtqn7cF3fDEqj7nNk0Em6/9akO2/tK5KInWhyOjKdV41ntB6IVPGJWOUBmnvf9HVpOMa8rxeb3KpBqnn6z70rjMTKqHmAQ5BeCuVSezTl4xAUP940PbkHSm0mDeWYMi2AgbofKDGBmH/GGUn3QeahhiLTXGzbIHszbXJdJ5dn30oWAPovW/gc0CeeHgUV7IwJ6wxVIz8jYKpjtDtIPYDs+RJMrWo8qPnhHWxA6HVp42eUylh7eazPUzitfZ2SBQHe3ShbBHTh2wHcLcRoVgSMrMJmfQ7Ibad5ZiWepobJw== Example RSA Key
Note that we've also got a comment at the end, Example RSA Key, which we specified at generation time. This will usually be the user and machine hostname of the box it's generated on, when no comment is explicitly passed.
[vagrant@centos1 ~]$ cat .ssh/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABCV2EFqnw
9/2J52LIVBzp50AAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIEGnqP8zTx50SwjP
+Fe26RdDx2W3/TQ+0ET8ylxfFB+aAAAAoJUzLk7IAaszO2npeAJIgfYmsqWCcgTM+EfF15
3A1iw4PruO+q8b3BxAjFZGK0tjFTSm3rkKtM9+JYTxOI+CSnEyqPnjnCjPODa7aF/X8GBt
RNkSKBlM7aROwpon0Z8UXH+Js8uyNOsKto+DS+BfVSKvshkQ6bNF/5DlU0fQcnRaYnVdyl
mIJUaPLdl/vKLwF+S4OyU87n8rac0ezjfAOhk=
-----END OPENSSH PRIVATE KEY-----
Then, there is our private (sensitive) Ed25519 key. Note that this file is much shorter than its RSA counterpart, and this is because Ed25519 keys have a fixed length (this also means that the -b flag is ignored at generation time).
[vagrant@centos1 ~]$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGnqP8zTx50SwjP+Fe26RdDx2W3/TQ+0ET8ylxfFB+a Example Ed25519 key
Here, we have our public Ed25519 file, so short that you could conceivably write it onto a bit of paper and hand it to your colleague to copy onto a server (though they really, really won't thank you for it, and will most likely not offer to make you a cup of tea any time soon).
We also have our comment, Example Ed25519 key.