Crypto Key without a Domain

I was recently working on some equipment for a client and had to enable SSH without having a domain defined.

Is it possible? Short answer is yes and there are a couple of ways of doing it.

Some Background

I was recently working on configuring some equipment. When I finished the functional (routing, ACLs, etc) part of the configuration, I handed it over to the client for them to put on their “standard config” bits. This included among other things SNMP settings, domain-name, TACAS, updating the local admin account and those sorts of things. The important part of this is that the devices currently didn’t have a domain-name defined.

As part of this they were developing a rebuild procedure in the event of a fault. This was done by erasing a switch and redeploying the configuration from the back-up system to see if there were any gotchas.

The Problem

When the configuration was deployed we noticed that you could no longer SSH to the device. This was a bit out of left field as all the other devices had SSH working fine. So we checked the key with:

CGR#show crypto key mypubkey rsa
CGR#

Sure enough, no key. That should be easy enough to fix, just generate an RSA.

CGR(config)#crypto key generate rsa
% Please define a domain-name first.

Oh yeah, we hadn’t defined the domain yet. So, how did the other devices have a key and on this one we couldn’t even generate one?

Out of the Box

When you get a Cisco device out of the box, usually they have ip http secure-server in their configuration. The thing about ip http secure-server is it will generate a key for you. It’s not quite the same as if you generate it with the crypto key generate rsa command.

ip http secure-server

If you enable secure-server, the router generates a key for you:

CGR(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
CGR(config)#
*Mar 1 00:09:11.447: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 1 00:09:11.799: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
CGR(config)#exit
%Mar 1 00:09:17.067: %SYS-5-CONFIG_I: Configured from console by console
CGR#show crypto key mypubkey rsa
% Key pair was generated at: 00:09:11 UTC Mar 1 2002
Key name: TP-self-signed-998521732
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DC7ABC
 D4AC6786 BDA8E1E4 288314DA 3D9D8740 7C7DE9B8 0CB444E6 1B6362E4 1D6E0A3A
 B06D17C1 C2F788EF B309B9BC 661E7332 8F45C310 208E140E 1DF5CAF7 9D3034AD
 7FF0F89D 50A60B60 657AFEF9 D404CCE6 4430E1B2 658E420D ADFE56FB 835ECC14
 CA4536EC DA89B7FB C80A5FEE 58BA6B92 F5C6178B CD01851F 09DC368E F1020301 0001
% Key pair was generated at: 00:09:11 UTC Mar 1 2002
Key name: TP-self-signed-998521732.server
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BDCCB2 3B83332C
 9B6ACFBD BE9A6049 3D534E97 4CDCA950 A6595347 4D630D93 FB804466 7192256B
 DF617EBE 119C21F6 CA8B1720 EAD40ED0 F0B0A5A8 2C33E2B6 497298BE 3836D2E5
 98D396B6 227BC121 851E3FD3 105AFBA1 4E9C37A9 67F496BF B3020301 0001

You can see in the above output SSH is enabled and a key is generated.

Generating a key

Now, let’s try and generate a key with a domain name and compare the results.

First we will remove the key with the crypto key zeroize rsa command.

CGR(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: y
CGR(config)#
*Mar 1 00:13:12.547: %SSH-5-DISABLED: SSH 1.99 has been disabled
CGR(config)#
CGR#show crypto key mypubkey rsa

CGR#

Key gone.

Now, lets use a temporary domain-name and generate a key.

CGR(config)#ip domain-name etherhex.com
CGR(config)#crypto key generate rsa
The name for the keys will be: CGR.etherhex.com
Choose the size of the key modulus in the range of 360 to 2048 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take
 a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
CGR(config)#
*Mar 1 00:16:23.123: %SSH-5-ENABLED: SSH 1.99 has been enabled
CGR(config)#do show crypto key mypubkey rsa
% Key pair was generated at: 00:16:23 UTC Mar 1 2002
Key name: CGR.etherhex.com
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C77E53
 0A52DD0F 3D41105F 5C7E625A 9E34A506 80FE75C1 B50A8AF3 495C1994 F7956C57
 EC67F90D C4E32B0C 95E0685C 683ECF2A 7C3F6E9C 5B3BBF33 DFDEA0B3 F2C14939
 0E2334BE 09F5F24C FEA2EC0C 604CEBF5 BEB6F820 6C493224 52941186 E2CFE4EF
 154DD171 F291A599 8D84B9AD 3C0FC4CF 128CE883 801C4167 483AFB32 DB020301 0001
% Key pair was generated at: 00:16:23 UTC Mar 1 2002
Key name: CGR.etherhex.com.server
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C2F89D 15352473
 D8DA5660 FB5BBAB4 A959E8CA 71A3F7A9 1EC60B07 594350E5 9DCE7410 5F30BDB0
 85E39FFA C861C74F EB0A8C3D 2D1718DA 338F3BA1 444B0DD6 B21B2BE1 CF688406
 DAC51C35 2ACB1C93 F8D4F67C 6B72117A 3AFE188E 28CEBB12 BF020301 0001

Make sure you chose a value over 768 for your RSA key if you want SSH 1.99 to be enabled. Otherwise you get SSH 1.5

The Differences

There are a few differences, mainly in the first version the self-signed key generates a name for itself that is pseudo-random:

Key name: TP-self-signed-998521732

Whereas the second actually refers to the hostname.domain-name:

Key name: CGR.etherhex.com

So if you need to just enable SSH quickly, ip http secure-server is one option. Generating a RSA with a domain-name defined is probably a little better as it refers to an actual device and domain name. If you want to do things properly you probably shouldn’t be using self-signed keys anyway, but in a lab environment it’s nice and quick!

 

This entry was posted in Certificates, Config by Tom. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *