6 Replies Latest reply: Feb 21, 2019 7:03 AM by jonathan RSS

    ip ssh rsa keypair-name command

    chacha2me

      I am moving from telnet to SSH remote access for all of my Cisco routers and switches. According to Cisco, with the latest IOS, the ip ssh rsa keypair-name command allows the user to specify the rsa key that is used for SSH connection. Previously, SSH was linked to the first RSA keys that were generated; so there is no way to know which key is used for SSH connection. My questions are:

      - What is the security implication if I let the SSH connection linked to the default RSA key?

      - What is the advantage to link the SSH connection to a known rsa key?

       

       

      Thanks

         
        • 1. Re: ip ssh rsa keypair-name command
          Conwyn

          username conwyn privilege 15 password cisco

          crypto key generate rsa usage-keys label myrsakey modulus 768

          ip ssh authentication-retries 5

          ip ssh rsa keypair-name myrsakey

          line vty 0 4

          login local (no need for aaa new-model)

          transport input ssh

           

           

          SSHClient#ssh -l conwyn 192.168.1.2

           

           

          Password:

          • 2. Re: ip ssh rsa keypair-name command
            chacha2me

            Yes I did that. But my IOS does not support the keypair-name command. It has a default rsa key. That is why I posted this thread with the question:

            What is the security implication if I don't use the keypair-name command?

             

            Thanks

            • 3. Re: ip ssh rsa keypair-name command
              Richard Burts

              In the IOS versions that do support the keypair name you now have the option to specify a particular key pair to use for SSH. To the extent that there may be other functions that also use the RSA key to encrypt something having a separate key for SSH would create a higher security level since you would reduce the number of times that key is used.

               

              Perhaps an example may help. Let us assume that you have created an RSA key pair specifically for SSH and another RSA key pair some other uses. Let us then assume that you have done SSH to the device 1000 times and that you have done the other function 1000 times. Your SSH key has been used 1000 times. In the older software that does not support key pair names you would have a single RSA key and it has been used 2000 times. Remember that the more times a key is used the more opportunity there is for someone to find a pattern and to break the key.

               

              HTH

               

              Rick

              • 4. Re: ip ssh rsa keypair-name command
                chacha2me

                Rick,

                 

                Awesome explanation. That is exactly what I am looking for.

                Now let say that I have several rsa keys on my Catalyst switch and from my understanding, if you don't use the keypair command, the ssh connection will use the default key. Is there a way to see which key the ssh connection is using and that the length of that default key? Thanks

                • 5. Re: ip ssh rsa keypair-name command
                  Richard Burts

                  I am glad that my explanation was helpful.

                   

                  I think I remember being on devices where I could find the length of the key. But the switches I can see at the moment do not display the key length. You can use the command  sho crypto key mypubkey rsa and it will how information about the key but at least on the switches I just checked not the length of the key.

                   

                  HTH

                   

                  Rick

                  • 6. Re: ip ssh rsa keypair-name command
                    jonathan

                    sho ssh

                    sho ip ssh

                    (denali 16.3...)