Macで公開鍵と秘密鍵を作成する

Macで公開鍵生成する

• Motivation
  • クラウド、オンプレ問わずネットワークを経由してサーバーへアクセスする際にまず最低限求められることは公開鍵、秘密鍵による認証である。
  • またソースIP制限などもよく見かけるが、組み合わせて使用されることが多い（インターネットから誰でもアクセスできるところにパスワード認証のみのサーバーを置いてある人は今すぐ設定を再考すべし。）

Pre-requirements

• Macbook Pro
• Teminal

0. Steps

1. .ssh ディレクトリ作成
2. 公開鍵/秘密鍵作成

1. .sshディレクトリの作成

すでに.sshディレクトリがすでにある場合はスキップ

1-1. ディレクトリ移動

# Usersのホームディレクトリへ移動
$ cd ~/

# 移動できたことを確認
$ pwd
/Users/[Username]

# .sshディレクトリがあるか確認する
$ ls -la
total 32
drwxr-xr-x+ 16 [Username]  staff   512  5  1 22:59 .
drwxr-xr-x   5 root       admin   160  4  7 04:45 ..
-r--------   1 [Username]  staff     7  5  1 20:52 .CFUserTextEncoding
-rw-r--r--@  1 [Username]  staff  8196  5  1 20:43 .DS_Store
drwx------   2 [Username]  staff    64  5  1 22:59 .Trash
-rw-------   1 [Username]  staff     0  5  1 21:33 .bash_history
drwx------   4 [Username]  staff   128  5  1 22:59 .bash_sessions
drwx------@  3 [Username]  staff    96  5  1 20:36 Applications
drwx------@  4 [Username]  staff   128  5  1 23:00 Desktop
drwx------@  3 [Username]  staff    96  5  1 19:52 Documents
drwx------+  4 [Username]  staff   128  5  1 21:02 Downloads
drwx------@ 64 [Username]  staff  2048  5  1 22:58 Library
drwx------+  3 [Username]  staff    96  5  1 19:47 Movies
drwx------+  3 [Username]  staff    96  5  1 19:47 Music
drwx------+  3 [Username]  staff    96  5  1 19:47 Pictures
drwxr-xr-x+  4 [Username]  staff   128  5  1 19:47 Public

ない！！から作る！！

1-2. ディレクトリ作成

# 作る
$ mkdir .ssh

# できたか確認する
$ ls -al
total 32
drwxr-xr-x+ 17 [Username]  staff   544  5  1 23:36 .
drwxr-xr-x   5 root       admin   160  4  7 04:45 ..
-r--------   1 [Username]  staff     7  5  1 20:52 .CFUserTextEncoding
-rw-r--r--@  1 [Username]  staff  8196  5  1 23:33 .DS_Store
drwx------   4 [Username]  staff   128  5  1 23:33 .Trash
-rw-------   1 [Username]  staff     0  5  1 21:33 .bash_history
drwx------   4 [Username]  staff   128  5  1 22:59 .bash_sessions
drwxr-xr-x   2 [Username]  staff    64  5  1 23:36 .ssh
drwx------@  3 [Username]  staff    96  5  1 20:36 Applications
drwx------@  4 [Username]  staff   128  5  1 23:00 Desktop
drwx------@  3 [Username]  staff    96  5  1 19:52 Documents
drwx------+  4 [Username]  staff   128  5  1 23:33 Downloads
drwx------@ 64 [Username]  staff  2048  5  1 22:58 Library
drwx------+  3 [Username]  staff    96  5  1 19:47 Movies
drwx------+  3 [Username]  staff    96  5  1 19:47 Music
drwx------+  3 [Username]  staff    96  5  1 19:47 Pictures
drwxr-xr-x+  4 [Username]  staff   128  5  1 19:47 Public

2. 公開鍵/秘密鍵作成

2-1. ディレクトリ移動

# ディレクトリの移動
$ cd ~/.ssh

# 自分の居場所確認
$ pwd
/Users/[Username]/.ssh

2-2. 鍵作成

$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/[Username]/.ssh/id_rsa): <-- Enter
Enter passphrase (empty for no passphrase): <-- Enter
Enter same passphrase again: <-- Enter
Your identification has been saved in /Users/[Username]/.ssh/id_rsa.
Your public key has been saved in /Users/[Username]/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:******************************************
The key's randomart image is:
+---[RSA 4096]----+
|Eoo.=++...o.o    |
|o*.o =o= + o     |
|+++ = Boo o      |
|oo.. =.+ .       |
|.o    = S .      |
|+    o B .       |
|..  . * .        |
|.    o .         |
|                 |
+----[SHA256]-----+

2-3. できた

$ ls -la
total 16
drwxr-xr-x   4 [Username]  staff   128  5  1 23:53 .
drwxr-xr-x+ 17 [Username]  staff   544  5  1 23:36 ..
-rw-------   1 [Username]  staff  3414  5  1 23:53 id_rsa
-rw-r--r--   1 [Username]  staff   761  5  1 23:53 id_rsa.pub

id_rsa : 秘密鍵
id_rsa.pub : 公開鍵

絶対にid_rsa(秘密鍵は漏らさない)/つまり共有するのはいつもid_rsa.pub)

おまけ：　ssh-keygenのその他のオプション

usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]
                  [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa]
       ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]
                   [-P old_passphrase]
       ssh-keygen -i [-f input_keyfile] [-m key_format]
       ssh-keygen -e [-f input_keyfile] [-m key_format]
       ssh-keygen -y [-f input_keyfile]
       ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]
       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
       ssh-keygen -B [-f input_keyfile]
       ssh-keygen -D pkcs11
       ssh-keygen -F hostname [-lv] [-f known_hosts_file]
       ssh-keygen -H [-f known_hosts_file]
       ssh-keygen -R hostname [-f known_hosts_file]
       ssh-keygen -r hostname [-g] [-f input_keyfile]
       ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
       ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines]
                  [-j start_line] [-K checkpt] [-W generator]
       ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
                  [-n principals] [-O option] [-V validity_interval]
                  [-z serial_number] file ...
       ssh-keygen -L [-f input_keyfile]
       ssh-keygen -A [-f prefix_path]
       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
                  file ...
       ssh-keygen -Q -f krl_file file ...
       ssh-keygen -Y check-novalidate -n namespace -s signature_file
       ssh-keygen -Y sign -f key_file -n namespace file ...
       ssh-keygen -Y verify -f allowed_signers_file -I signer_identity
       		-n namespace -s signature_file [-r revocation_file]