Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2278
Views
10
Helpful
2
Replies

SSH Considerations

Go to solution
salemmahara
Level 3
Level 3

‎02-15-2020 09:22 PM

Hello guys,

I have a set of questions relevant to SSH configuration:

1. Is it necessary to use crypto key generate rsa ? why?

2. What would happen If we generate keys and configure SSH, and restore this configuration into another switch/router?

3. Is it necessary to do anything special to backup and restore these keys? I mean, we normally back up startup configuration somewhere out of the device and restore it if there is a problem including wrong configuration or... . What about SSH? We are adding complexity to the configuration by enabling SSH over Telnet, and I really need to know all details in case of failure or restoring or even booting to Rommon. For example, sometimes we lose SSH after upgrading to some IOS XE versions! 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ngkin2010
Level 7
Level 7

‎02-16-2020 12:01 AM - edited ‎02-16-2020 12:02 AM

Hi,

1. If there no default generated RSA key pair in your network equipment (the ssh server), you will need to create one. The RSA key pairs (public, private) are used to secure the SSH connection.

2. Each device should have their unique key pair, if you restore your "show run" configuration, and generate a new pair of RSA key on another device and launch it on production, there should have no problem. However, if your ssh client (e.g. open ssh) had stored the public key (so called "host key") of your previous device, you will have to remove it by "ssh-keygen -R <IP address>".

3. Usually, the key pair are non-exportable due to the security reason. You do not need to backup the RSA key pair.

View solution in original post

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎02-16-2020 12:12 AM

Hi,

 

1. Is it necessary to use crypto key generate rsa ? why?

It will generate Public and Private key for the device which will use to encrypte and decrypt the session. The difference and advantage of SSH over Telnet is that the remote access sessions are encrypted. To encrypt and decrypt the session traffic, these keys are required.

 

2. What would happen If we generate keys and configure SSH, and restore this configuration into another switch/router?

You can generate new keys for another switch/router or move the keys but if you just restore and backup the startup-config, you will see error only on crypto keys related configuration which shown in running configuration. other configuration will be imported. You can then generate new RSA keys for the device and save the configuration to fix this issue. You can test this and most likely will encounter the same thing mentioned here.

 

3. Is it necessary to do anything special to backup and restore these keys? I mean, we normally back up startup configuration somewhere out of the device and restore it if there is a problem including wrong configuration or... . What about SSH? We are adding complexity to the configuration by enabling SSH over Telnet, and I really need to know all details in case of failure or restoring or even booting to Rommon. For example, sometimes we lose SSH after upgrading to some IOS XE versions! 

 

It is not necessary, only difference is that if you not backup the keys and generate the new keys for the new device then you have to accept the key message prompt which appears when you SSH the device for the first time. This is acceptable for majority of the cases.

We are not adding any complexity by enabling SSH, we are just encrypting your telnet session which is a requirement nowdays for many organization for compliance issues. Not only that, with Telnet, a bad guy can intercept and read all the data on that session including the credentials.

in worst case scenario, if you reach to romon, then you will be doing regular restore operation which have nothing to do with SSH. You will be in the CLI console most likey and may manually set TFTP/FTP parameters for new image transfer as an example

 

View solution in original post

2 Replies 2

Go to solution
ngkin2010
Level 7
Level 7

‎02-16-2020 12:01 AM - edited ‎02-16-2020 12:02 AM

Hi,

1. If there no default generated RSA key pair in your network equipment (the ssh server), you will need to create one. The RSA key pairs (public, private) are used to secure the SSH connection.

2. Each device should have their unique key pair, if you restore your "show run" configuration, and generate a new pair of RSA key on another device and launch it on production, there should have no problem. However, if your ssh client (e.g. open ssh) had stored the public key (so called "host key") of your previous device, you will have to remove it by "ssh-keygen -R <IP address>".

3. Usually, the key pair are non-exportable due to the security reason. You do not need to backup the RSA key pair.

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎02-16-2020 12:12 AM

Hi,

 

1. Is it necessary to use crypto key generate rsa ? why?

It will generate Public and Private key for the device which will use to encrypte and decrypt the session. The difference and advantage of SSH over Telnet is that the remote access sessions are encrypted. To encrypt and decrypt the session traffic, these keys are required.

 

2. What would happen If we generate keys and configure SSH, and restore this configuration into another switch/router?

You can generate new keys for another switch/router or move the keys but if you just restore and backup the startup-config, you will see error only on crypto keys related configuration which shown in running configuration. other configuration will be imported. You can then generate new RSA keys for the device and save the configuration to fix this issue. You can test this and most likely will encounter the same thing mentioned here.

 

3. Is it necessary to do anything special to backup and restore these keys? I mean, we normally back up startup configuration somewhere out of the device and restore it if there is a problem including wrong configuration or... . What about SSH? We are adding complexity to the configuration by enabling SSH over Telnet, and I really need to know all details in case of failure or restoring or even booting to Rommon. For example, sometimes we lose SSH after upgrading to some IOS XE versions! 

 

It is not necessary, only difference is that if you not backup the keys and generate the new keys for the new device then you have to accept the key message prompt which appears when you SSH the device for the first time. This is acceptable for majority of the cases.

We are not adding any complexity by enabling SSH, we are just encrypting your telnet session which is a requirement nowdays for many organization for compliance issues. Not only that, with Telnet, a bad guy can intercept and read all the data on that session including the credentials.

in worst case scenario, if you reach to romon, then you will be doing regular restore operation which have nothing to do with SSH. You will be in the CLI console most likey and may manually set TFTP/FTP parameters for new image transfer as an example

 
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card