07-27-2018 01:35 AM - edited 03-08-2019 03:45 PM
Hi guys,
I have seen tutorials that include and omit out domain name in the configuration of the SSH in a router/switch.
What is the significance of including it? And does it have any impact if it's omitted?
Solved! Go to Solution.
07-27-2018 03:31 AM
This is probably one of the most often misunderstood/misdocumented function ever ...
Your SSH-keys need a label, a name. This label can and should be specified when the key is generated. In this case the domain-name on the router is not needed.
But if you do not specify the label when generating the key, the router by default uses the host/domain-name for the label. Then the domain-name has to be specified.
In short: No, the domain-name is not needed if you configure SSH the right way.
https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344
07-27-2018 02:15 AM - edited 07-27-2018 02:16 AM
Hello
My understanding you cannot apply SSH unless a domain name is pre-configured first as it required to be generated into the SSH key.
res
Paul
07-27-2018 03:15 AM
Hi Paul,
Is the domain name locally significant only? If I have 2 switches can I configure SSH on them with 2 different domain names?
07-27-2018 03:31 AM
This is probably one of the most often misunderstood/misdocumented function ever ...
Your SSH-keys need a label, a name. This label can and should be specified when the key is generated. In this case the domain-name on the router is not needed.
But if you do not specify the label when generating the key, the router by default uses the host/domain-name for the label. Then the domain-name has to be specified.
In short: No, the domain-name is not needed if you configure SSH the right way.
https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344
07-27-2018 06:02 AM - edited 07-27-2018 06:04 AM
Hi Iwen,
Thanks for the infor. Below I have gathered the commands (based on your tutorial) needed to set it up and have commented some as optional. Pls take a look and correct me if I'm wrong.
crypto key generate rsa label SSH-KEY modulus 4096
ip ssh rsa keypair-name SSH-KEY
ip ssh version 2
ip ssh dh min size 4096 <---- optional
ip ssh logging events <---- optional
line vty 0 4
transport input ssh
ip ssh port 7890 rotary 1<---- optional
!
line vty 0 4<---- optional
rotary 1<---- optional
ip ssh server algorithm encryption aes256-ctr <---- optional
ip ssh server algorithm mac hmac-sha1 <---- optional
07-27-2018 07:51 AM
You are correct, but for a good configuration I would specify the "dh min size" with minimum 2048 bit and also restrict the algorithms if your IOS version allows that.
07-27-2018 07:03 AM
Hello Karsten
cheers for the validation- I have always used the domain name and in occasions added a label but never realised the label superseded the domain in th key creation
Apologies to OP for misleading
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide