ssh的两种“key”

安装ssh服务时，必须生成key，linux系统安装ssh时自动安装了，而有些则需要手动生成，例如Android中安装dropbear运行ssh服务前，需手动生成key，这种key是用于ssh管道的，这个管道可以提供terminal服务也可以提供文件传输服务； 另外一种key是用于客户端的认证的，登录认证可以是用户名和密码也可以是key； 下面的帖子说的很清楚了：http://security.stackexchange.com/questions/55947/how-does-sftp-function-without-a-manually-generated-public-private-key-pair 以下是节选： Short answer: there is necessarily a public/private key pair on the server. There may be a public/private key pair on the client, but the server may elect to authenticate clients with passwords instead, SSH is a generic tunnel mechanism, in which some "application data" is transferred. One such application is the "remote shell" which is used to obtain an open "terminal" on a server, in which terminal applications can be run. Another, distinct application is the file transfer protocol known as SFTP. From the SSH point of view, which application is used is irrelevant. This means that any authentication concept applies equally to SSH (the "remote shell" part) and SFTP. The server MUST have a public/private key pair. That key is used for the tunnel part, so a server will use the same key pair for all applicative protocols. Most Unix-like operating systems (e.g. Linux) create a SSH key pair when first installed, and will use it thereafter. This means that you don't have to "create a key" when you configure your SSH server to also be used as SFTP: the server already has a key. A client may have a public/private key pair if it wishes to be authenticated based on that key; this is all about client authentication, i.e. about how the server will make sure that it is talking to the right client. Password-based authentication and key-based authentication are the two most common methods (some servers are configured to require both). By definition, only the key-based authentication requires that the client stores and uses a key pair of its own. 另一个人： In SSH, you have two sets of key pairs: one for the server and one for the users. The server key pair is mandatory but it is typically generated during the installation of the server: all you have to do is validate the server public key fingerprint (a simple hash) and, as long as the key is unchanged, your client will silently connect. The key pair you use for authenticating, however, can be optional (or disallowed) depending on what authentication method you've decided to allow or require on the server. The Wiki article on SSH has plenty of juicy details but, to summarise, there are 4 supported authentication mechanism: Password requires a username and password combination Public key requires acess to the private part of the public key you use for authentication (typically, you setup the key pair on the client and just update the server configuration with your public key). Keyboard interactive is mostly used for one-time passwords and similar. GSSAPI, a framework used for implementing other authentication scheme, usually to implement single sign-on (most notably Kerberos)