- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 01:35 AM - edited 03-08-2019 03:45 PM
Hi guys,
I have seen tutorials that include and omit out domain name in the configuration of the SSH in a router/switch.
What is the significance of including it? And does it have any impact if it's omitted?
Solved! Go to Solution.
- Labels:
-
LAN Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 03:31 AM
This is probably one of the most often misunderstood/misdocumented function ever ...
Your SSH-keys need a label, a name. This label can and should be specified when the key is generated. In this case the domain-name on the router is not needed.
But if you do not specify the label when generating the key, the router by default uses the host/domain-name for the label. Then the domain-name has to be specified.
In short: No, the domain-name is not needed if you configure SSH the right way.
https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 02:15 AM - edited 07-27-2018 02:16 AM
Hello
My understanding you cannot apply SSH unless a domain name is pre-configured first as it required to be generated into the SSH key.
res
Paul
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 03:15 AM
Hi Paul,
Is the domain name locally significant only? If I have 2 switches can I configure SSH on them with 2 different domain names?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 03:31 AM
This is probably one of the most often misunderstood/misdocumented function ever ...
Your SSH-keys need a label, a name. This label can and should be specified when the key is generated. In this case the domain-name on the router is not needed.
But if you do not specify the label when generating the key, the router by default uses the host/domain-name for the label. Then the domain-name has to be specified.
In short: No, the domain-name is not needed if you configure SSH the right way.
https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 06:02 AM - edited 07-27-2018 06:04 AM
Hi Iwen,
Thanks for the infor. Below I have gathered the commands (based on your tutorial) needed to set it up and have commented some as optional. Pls take a look and correct me if I'm wrong.
crypto key generate rsa label SSH-KEY modulus 4096
ip ssh rsa keypair-name SSH-KEY
ip ssh version 2
ip ssh dh min size 4096 <---- optional
ip ssh logging events <---- optional
line vty 0 4
transport input ssh
ip ssh port 7890 rotary 1<---- optional
!
line vty 0 4<---- optional
rotary 1<---- optional
ip ssh server algorithm encryption aes256-ctr <---- optional
ip ssh server algorithm mac hmac-sha1 <---- optional
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 07:51 AM
You are correct, but for a good configuration I would specify the "dh min size" with minimum 2048 bit and also restrict the algorithms if your IOS version allows that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2018 07:03 AM
Hello Karsten
cheers for the validation- I have always used the domain name and in occasions added a label but never realised the label superseded the domain in th key creation
Apologies to OP for misleading
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
