I was recently working on some equipment for a client and had to enable SSH without having a domain defined.
Is it possible? Short answer is yes and there are a couple of ways of doing it.
I was recently working on configuring some equipment. When I finished the functional (routing, ACLs, etc) part of the configuration, I handed it over to the client for them to put on their “standard config” bits. This included among other things SNMP settings, domain-name, TACAS, updating the local admin account and those sorts of things. The important part of this is that the devices currently didn’t have a domain-name defined.
As part of this they were developing a rebuild procedure in the event of a fault. This was done by erasing a switch and redeploying the configuration from the back-up system to see if there were any gotchas.
When the configuration was deployed we noticed that you could no longer SSH to the device. This was a bit out of left field as all the other devices had SSH working fine. So we checked the key with:
CGR#show crypto key mypubkey rsa CGR#
Sure enough, no key. That should be easy enough to fix, just generate an RSA.
CGR(config)#crypto key generate rsa % Please define a domain-name first.
Oh yeah, we hadn’t defined the domain yet. So, how did the other devices have a key and on this one we couldn’t even generate one?
Out of the Box
When you get a Cisco device out of the box, usually they have ip http secure-server in their configuration. The thing about ip http secure-server is it will generate a key for you. It’s not quite the same as if you generate it with the crypto key generate rsa command.
ip http secure-server
If you enable secure-server, the router generates a key for you:
CGR(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] CGR(config)# *Mar 1 00:09:11.447: %SSH-5-ENABLED: SSH 1.99 has been enabled *Mar 1 00:09:11.799: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate CGR(config)#exit %Mar 1 00:09:17.067: %SYS-5-CONFIG_I: Configured from console by console CGR#show crypto key mypubkey rsa % Key pair was generated at: 00:09:11 UTC Mar 1 2002 Key name: TP-self-signed-998521732 Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DC7ABC D4AC6786 BDA8E1E4 288314DA 3D9D8740 7C7DE9B8 0CB444E6 1B6362E4 1D6E0A3A B06D17C1 C2F788EF B309B9BC 661E7332 8F45C310 208E140E 1DF5CAF7 9D3034AD 7FF0F89D 50A60B60 657AFEF9 D404CCE6 4430E1B2 658E420D ADFE56FB 835ECC14 CA4536EC DA89B7FB C80A5FEE 58BA6B92 F5C6178B CD01851F 09DC368E F1020301 0001 % Key pair was generated at: 00:09:11 UTC Mar 1 2002 Key name: TP-self-signed-998521732.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BDCCB2 3B83332C 9B6ACFBD BE9A6049 3D534E97 4CDCA950 A6595347 4D630D93 FB804466 7192256B DF617EBE 119C21F6 CA8B1720 EAD40ED0 F0B0A5A8 2C33E2B6 497298BE 3836D2E5 98D396B6 227BC121 851E3FD3 105AFBA1 4E9C37A9 67F496BF B3020301 0001
You can see in the above output SSH is enabled and a key is generated.
Generating a key
Now, let’s try and generate a key with a domain name and compare the results.
First we will remove the key with the crypto key zeroize rsa command.
CGR(config)#crypto key zeroize rsa % All RSA keys will be removed. % All router certs issued using these keys will also be removed. Do you really want to remove these keys? [yes/no]: y CGR(config)# *Mar 1 00:13:12.547: %SSH-5-DISABLED: SSH 1.99 has been disabled CGR(config)# CGR#show crypto key mypubkey rsa CGR#
Now, lets use a temporary domain-name and generate a key.
CGR(config)#ip domain-name etherhex.com CGR(config)#crypto key generate rsa The name for the keys will be: CGR.etherhex.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] CGR(config)# *Mar 1 00:16:23.123: %SSH-5-ENABLED: SSH 1.99 has been enabled CGR(config)#do show crypto key mypubkey rsa % Key pair was generated at: 00:16:23 UTC Mar 1 2002 Key name: CGR.etherhex.com Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C77E53 0A52DD0F 3D41105F 5C7E625A 9E34A506 80FE75C1 B50A8AF3 495C1994 F7956C57 EC67F90D C4E32B0C 95E0685C 683ECF2A 7C3F6E9C 5B3BBF33 DFDEA0B3 F2C14939 0E2334BE 09F5F24C FEA2EC0C 604CEBF5 BEB6F820 6C493224 52941186 E2CFE4EF 154DD171 F291A599 8D84B9AD 3C0FC4CF 128CE883 801C4167 483AFB32 DB020301 0001 % Key pair was generated at: 00:16:23 UTC Mar 1 2002 Key name: CGR.etherhex.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C2F89D 15352473 D8DA5660 FB5BBAB4 A959E8CA 71A3F7A9 1EC60B07 594350E5 9DCE7410 5F30BDB0 85E39FFA C861C74F EB0A8C3D 2D1718DA 338F3BA1 444B0DD6 B21B2BE1 CF688406 DAC51C35 2ACB1C93 F8D4F67C 6B72117A 3AFE188E 28CEBB12 BF020301 0001
Make sure you chose a value over 768 for your RSA key if you want SSH 1.99 to be enabled. Otherwise you get SSH 1.5
There are a few differences, mainly in the first version the self-signed key generates a name for itself that is pseudo-random:
Key name: TP-self-signed-998521732
Whereas the second actually refers to the hostname.domain-name:
Key name: CGR.etherhex.com
So if you need to just enable SSH quickly, ip http secure-server is one option. Generating a RSA with a domain-name defined is probably a little better as it refers to an actual device and domain name. If you want to do things properly you probably shouldn’t be using self-signed keys anyway, but in a lab environment it’s nice and quick!