09-19-2018 04:12 AM - edited 03-10-2019 01:05 AM
Team,
My router has a hostname and ip-domain configured. If I use the following command manually on the router in config mode, I am able to generate the crypto key and enable SSH.
crypto key generate rsa modulus 4096
However, if I load a new startup-config remotely via tftp, the same command in the config fails to generate a crypto key.
This is a problem, because we frequently load the configurations on our routers remotely (First wr erase, then copy from tftp, then reload). The "wr erase" part is necessary, otherwise some changes are overlapped.
1. Is there a way to automatically generate the crypto key as part of the startup config?
2. Is there any other (better) way to load the configs and not lose the existing crypto key?
Attached is a sample config
PS: The passwords are all generic and are used in the lab
Solved! Go to Solution.
08-18-2024 06:25 PM
On IOS-XE, the only way we found to get around this situation is to create an EEM script which automatically checks for crypto keys at boot and generates them if missing
!
event manager session cli username "admin" privilege 15
event manager applet Crypto_Key_Gen authorization bypass
event syslog pattern "System restarted"
trigger delay 30
action 1.0 cli command "enable"
action 2.0 cli command "show crypto key mypubkey rsa | include key"
action 3.0 regexp "Temporary key" "$_cli_result" var1
action 4.0 if $var1 eq "Temporary key"
action 5.0 syslog msg "Existing SSH cryptographic key present, skipping re-generation"
action 6.0 else
action 7.0 syslog msg "No existing SSH cryptographic key found, re-generating key"
action 7.1 cli command "enable"
action 7.2 cli command "crypto key gen rsa mod 4096"
action 8.0 end
!
08-18-2024 04:44 AM
any one please help with this i have this problem to
08-18-2024 06:25 PM
On IOS-XE, the only way we found to get around this situation is to create an EEM script which automatically checks for crypto keys at boot and generates them if missing
!
event manager session cli username "admin" privilege 15
event manager applet Crypto_Key_Gen authorization bypass
event syslog pattern "System restarted"
trigger delay 30
action 1.0 cli command "enable"
action 2.0 cli command "show crypto key mypubkey rsa | include key"
action 3.0 regexp "Temporary key" "$_cli_result" var1
action 4.0 if $var1 eq "Temporary key"
action 5.0 syslog msg "Existing SSH cryptographic key present, skipping re-generation"
action 6.0 else
action 7.0 syslog msg "No existing SSH cryptographic key found, re-generating key"
action 7.1 cli command "enable"
action 7.2 cli command "crypto key gen rsa mod 4096"
action 8.0 end
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide