Also all of our devices will be using TACACS+ so what are the implications for this? I've read that you need to use event manager session cli username <username>. But my question is how is the user authenticated and what happens if the TACACS+ server is unavailable?
I use the following script to generate the SSH key on reload if there isn't one present already. You can adjust it fairly easily to check every 10 minutes.
event manager applet EEM_SSH_Keygen
event timer cron cron-entry "@reboot"
action 0.0 info type routername
action 0.1 set status "none"
action 1.0 cli command "enable"
action 2.0 cli command "show ip ssh | include ^SSH"
action 2.1 regexp "([ED][^ ]+)" "$_cli_result" result status
action 3.0 if $status eq Disabled
action 3.1 cli command "configure terminal"
action 3.2 cli command "crypto key generate rsa modulus 2048 label $_info_routername"
action 3.3 cli command "end"
action 3.4 end
As for the event manager session cli username <username> configuration command, this only defines how actions appear in the log when the event manager scripts are run. They don't actually perform any kind of authentication. When I set event manager session cli username blah on my router (where the username "blah" doesn't exist anywhere in my authentication methods) the script continues to run normally, but configuration events in the log appear as follows:
028089: Jan 29 2015 13:56:55 EST: %SYS-5-CONFIG_I: Configured from console by blah on vty1 (EEM:EEM_SSH_Keygen)