05-28-2020 04:54 AM - edited 05-28-2020 04:54 AM
So part of my standard rollout is to create an SSH key in each 2960 I deploy - crypto key generate rsa modulus 2048.
After I do this and check it with show crypto key mypubkey rsa, I see the 2048 key I created, but there is also a 512 and a 768 key under the mypubkey output as well. Even if I zeroize the key then recreate it, a 768 key reappears along with the 2048 key.
Why is that, and how can I be sure the 2048 key will be used when someone SSH's to the device and not the 512 or 768 key?
05-28-2020 10:02 AM - edited 05-28-2020 10:03 AM
The default key will show up and also be regenerated when a crypto function is used without a dedicated key (but I've seen platform dependent differences). Just make sure that you always reference your own key. Here is a guide how to do that:
https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344
05-28-2020 11:24 AM - edited 05-28-2020 11:25 AM
Karsten,
Let me ask you this: If I zeroize all rsa keys, then create a new 2048 bit rsa key as below:
crypto key zeroize rsa
crypto key gen rsa mod 2048 label dundermifflin
ip ssh rsa keypair-name dundermifflin
When I show crypto key mypubkey rsa, I see the 2048 key as "dundermifflin," and then I see a new auto generated 768 key ("temp key") as "dundermifflin.server." You're saying as long as I reference "dundermifflin" and not "dundermifflin.server" in the ip ssh rsa keypair command, I can be sure the 2048 key will always be used when SSH'd to?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide