Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSH key's encrypted, usage-keys, general-keys ??

When you generate "special usage keys" in a router one is encrypted and the other is a signature key. Should the signature key be copied and saved into a file and placed on the emulator you are using??

Is there any benefit of using special usage keys over general usage keys that are encrypted on the cisco device?

I have read the docs on cisco.com in relation to what can be accomplished by encrypting keys. The point being there is not enough documentation on the usage of these SSH keys and what is the "best-practice" for a solid security scheme.

Any help is appreciated, Thanks

  • Other Security Subjects
3 REPLIES
Bronze

Re: SSH key's encrypted, usage-keys, general-keys ??

This document discusses how to configure and debug Secure Shell (SSH) on Cisco routers or switches that run a version of Cisco IOS. Software that supports SSH. This document contains more information on specific versions and software images.

http://www.cisco.com/warp/public/707/ssh.shtml

New Member

Re: SSH key's encrypted, usage-keys, general-keys ??

I have set up SSH on a Catalyst 3550 switch as per the Cisco documentation as follows:-

1) Upgrade to IOS version 121-22.EA4 crypto software,

image file: c3550-i9k2l2q3-mz.121-22.EA4.bin

2) check the running config for ssh

ip ssh time-out 120

ip ssh authentication-retries 3

ip ssh version 2

3) Configure the vty sessions 0 to 4 for ssh inwards

using an access list.

line vty 0 4

access-class acl-number in

login local

transport input ssh

escape-character 3

4) generated the encryption keys - cry key generate rsa usage-keys

switch(config)#cry key generate rsa

The name for the keys will be: switch-name.ip-domain-name

Chosen the size of the key modulus to be 512.

How many bits in the modulus [512]:

Jun 7 15:44:16 BST: %SSH-5-ENABLED: SSH 2.0 has been enabled

5) Tested this out using a few SSH version 2 clients.

Encryption - 3DES

Everything worked OK - but about one month later the encryption keys had to be re-generated as we were locked out of the device. Can anyone explain how I can prevent the keys expiring?

Cheers, Celia Hollingworth

Bristol University - Network Team

New Member

Re: SSH key's encrypted, usage-keys, general-keys ??

I'd be curious if they expired or if the device rebooted and the keys weren't saved with a 'write mem'. Next time this happens before generating new keys you can see if any keys are present by issuing 'show crypto key mypubkey rsa'. From reading their documenatoin I'm not under the impression that after saving these keys that they should ever expire. If there are no keys listed after running the ;show key mypubkey rsa' command then I'm guessing the device rebooted without saving configuration taking your keys with them. Also if you have to do a password recovery on a device the rsa keys are removed and you have to regenerate them.

900
Views
2
Helpful
3
Replies
This widget could not be displayed.