Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2886
Views
2
Helpful
3
Replies

SSH key's encrypted, usage-keys, general-keys ??

mgleason
Level 1
Level 1

‎12-13-2005 01:34 PM - last edited on ‎03-25-2019 05:06 PM by Community Manager

When you generate "special usage keys" in a router one is encrypted and the other is a signature key. Should the signature key be copied and saved into a file and placed on the emulator you are using??

Is there any benefit of using special usage keys over general usage keys that are encrypted on the cisco device?

I have read the docs on cisco.com in relation to what can be accomplished by encrypting keys. The point being there is not enough documentation on the usage of these SSH keys and what is the "best-practice" for a solid security scheme.

Any help is appreciated, Thanks

Labels:
0 Helpful
3 Replies 3

pradeepde
Level 5
Level 5

‎12-19-2005 01:52 PM

This document discusses how to configure and debug Secure Shell (SSH) on Cisco routers or switches that run a version of Cisco IOS. Software that supports SSH. This document contains more information on specific versions and software images.

http://www.cisco.com/warp/public/707/ssh.shtml

chollingworth
Level 1
Level 1

‎01-13-2006 09:31 AM

I have set up SSH on a Catalyst 3550 switch as per the Cisco documentation as follows:-

1) Upgrade to IOS version 121-22.EA4 crypto software,

image file: c3550-i9k2l2q3-mz.121-22.EA4.bin

2) check the running config for ssh

ip ssh time-out 120

ip ssh authentication-retries 3

ip ssh version 2

3) Configure the vty sessions 0 to 4 for ssh inwards

using an access list.

line vty 0 4

access-class acl-number in

login local

transport input ssh

escape-character 3

4) generated the encryption keys - cry key generate rsa usage-keys

switch(config)#cry key generate rsa

The name for the keys will be: switch-name.ip-domain-name

Chosen the size of the key modulus to be 512.

How many bits in the modulus [512]:

Jun 7 15:44:16 BST: %SSH-5-ENABLED: SSH 2.0 has been enabled

5) Tested this out using a few SSH version 2 clients.

Encryption - 3DES

Everything worked OK - but about one month later the encryption keys had to be re-generated as we were locked out of the device. Can anyone explain how I can prevent the keys expiring?

Cheers, Celia Hollingworth

Bristol University - Network Team

0 Helpful

Eli Barb
Level 1
Level 1
In response to chollingworth

‎02-26-2009 12:49 PM

I'd be curious if they expired or if the device rebooted and the keys weren't saved with a 'write mem'. Next time this happens before generating new keys you can see if any keys are present by issuing 'show crypto key mypubkey rsa'. From reading their documenatoin I'm not under the impression that after saving these keys that they should ever expire. If there are no keys listed after running the ;show key mypubkey rsa' command then I'm guessing the device rebooted without saving configuration taking your keys with them. Also if you have to do a password recovery on a device the rsa keys are removed and you have to regenerate them.

0 Helpful
Customers Also Viewed These Support Documents