cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2281
Views
30
Helpful
6
Replies

SSH

leowls
Level 1
Level 1

Hi guys,

 

I have seen tutorials that include and omit out domain name in the configuration of the SSH in a router/switch.

 

What is the significance of including it? And does it have any impact if it's omitted? 

1 Accepted Solution

Accepted Solutions

This is probably one of the most often misunderstood/misdocumented function ever ...

 

Your SSH-keys need a label, a name. This label can and should be specified when the key is generated. In this case the domain-name on the router is not needed.

But if you do not specify the label when generating the key, the router by default uses the host/domain-name for the label. Then the domain-name has to be specified.

 

In short: No, the domain-name is not needed if you configure SSH the right way.

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

View solution in original post

6 Replies 6

Hello

My understanding you cannot apply SSH unless a domain name is pre-configured first as it required to be generated into the SSH key.

 

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

Is the domain name locally significant only? If I have 2 switches can I configure SSH on them with 2 different domain names?

This is probably one of the most often misunderstood/misdocumented function ever ...

 

Your SSH-keys need a label, a name. This label can and should be specified when the key is generated. In this case the domain-name on the router is not needed.

But if you do not specify the label when generating the key, the router by default uses the host/domain-name for the label. Then the domain-name has to be specified.

 

In short: No, the domain-name is not needed if you configure SSH the right way.

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

Hi Iwen,
Thanks for the infor. Below I have gathered the commands (based on your tutorial) needed to set it up and have commented some as optional. Pls take a look and correct me if I'm wrong.

crypto key generate rsa label SSH-KEY modulus 4096
ip ssh rsa keypair-name SSH-KEY
ip ssh version 2
ip ssh dh min size 4096 <---- optional
ip ssh logging events <---- optional
line vty 0 4
transport input ssh
ip ssh port 7890 rotary 1<---- optional
!
line vty 0 4<---- optional
rotary 1<---- optional

ip ssh server algorithm encryption aes256-ctr <---- optional
ip ssh server algorithm mac hmac-sha1 <---- optional

You are correct, but for a good configuration I would specify the "dh min size" with minimum 2048 bit and also restrict the algorithms if your IOS version allows that.

Hello Karsten

cheers for the validation- I have always used the domain name and in occasions added a label but never realised the label superseded the domain in th key creation 

 

Apologies to OP for misleading 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card