SSH config

Unanswered Question
Oct 24th, 2007

When configuring ssh on a router and it creates the keys etc.. . I don't see anything in the config that indicates ssh was enabled other than the vty "transport" parameters . Say you had to replace a router and you use a backup tftp file to config the box how does it know to create the key if there is nothing in the config file to tell it to do this . Is this a manual process if you have to replace the box where you have to add the "crypto key generate rsa" command ? Somehow it knows over reboots to config a key I just don't see anything in the config to tell it to do that . Trying to get a process down if equipment has to be replaced. Is placed somewhere in nvram in a different filename ??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bvsnarayana03 Wed, 10/24/2007 - 10:34

The crypto key is unique, u may not copy from 1 device to other. So u have to configure ssh on each device separately.

glen.grant Wed, 10/24/2007 - 10:39

I understand that , I just don't see it in the config . If you have to replace the device how does it know to create the key from the config file if there is nothing in the file to say to create it . My question i guess , after loading the config file into the replacement supervisor or router do you have to manually add the "crypto key generate rsa" command as it does not show up in your running config. Maybe I am missing something simple here.

bvsnarayana03 Wed, 10/24/2007 - 10:56

There you are, u may have to generate the keys separately on each device.

how different is "show crypto" commands on the 2 routers.

however,on high end routers/switches When you use the redundancy force-failover main-cpu (Catalyst 8540 MSR) command to manually force the secondary route processor to take over as the primary route processor the SSH RSA key-pair is automatically generated on the new primary route processor. This ensures that the SSH server is enabled on the switch router even after route processor switchover and allows you to start configuring the new primary route processor using a new SSH connection without reloading the switch router. (content taken from whitepaper)

glen.grant Wed, 10/24/2007 - 11:34

I think I found my answer , the crypto key is not stored in startup config , it apparently stored in the private-config file in nvram so that does not get saved so when you config the replacement device you will have to manually config the keys again with the crypto key generate rsa command.


This Discussion