SSH and crypto key generate command

Dragon0x40 used Ask the Experts™
When crypto key generate RSA is run it creates a Pair of RSA keys (certificates?); one public and one private key.

How does the client (secure crt, putty, etc.) and router or switch verify each others keys as valid?

The keys are generated locally on the router so I don't believe any external CA is able to verify the keys. Do they just trust each others key as valid and go ahead and make an SSH tunnel to encrypt their communication? Assuming that there is no harm in doing that because a valid router username and password is still required to enter the router or switch?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011
SSH key isn't really for authenticating the client-device relationship. It is for providing a secure channel to hide/encrypt the communications across the ssh tunbetween them. Whereas telnet is clear text. Thus, client and device just trusts each other and you have to rely on the user credentials for security.  You do however have to accept the certificate when you first connect to a device, so I guess it is up to the user of the client.
Actually, SSH keys are used for authenication. As mentioned above, when you first connect and accept the public key of a router/switch, the key is added to a trusted key list of devices authenticated by the client. Generally, you can't configure the device to trust a client so there is the additional username/password required. Other systems however, maintain a list of trusted client public keys that is used to authenicate the client and allow transparent logins.


thanks Soulja and Frabble,

Is it similar to a SSL VPN connection?

There is no IPSEC with SSH right?

The tunnel is formed when I put the ip address in Secure CRT or Putty and then I get a message that I have not ever logged in to that switch or router before and if I continue a SSL tunnel is formed?

I have only entered the "crypto key generate rsa" and then hit enter key
Then it prompts me for modulus size default of 512 but I usually change to 1024.

But all I need is to add a host name to the router and domain name and I have never imported a certificate or anything.

From Cisco document:

crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.

crypto key zeroize rsa [key-pair-label]

Syntax Description
 (Optional) Specifies the name of the key pair that router will delete.

No default behavior or values.

Command Modes
Global configuration

Command History
 Release  Modification  
11.3 T
 This command was introduced.
 The key-pair-label argument was added.

Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:

•Ask the certification authority (CA) administrator to revoke your router's certificates at the CA; you must supply the challenge password you created when you originally obtained the router's certificates using the crypto ca enroll command.

•Manually remove the router's certificates from the configuration by removing the configured trustpoint (using the no crypto ca trustpoint name command.)


Note This command cannot be undone (after you save your configuration), and after RSA keys have been deleted, you cannot use certificates or the CA or participate in certificate exchanges with other IP Security (IPSec) peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again.


This command is not saved to the configuration.

The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the certificate of the router be revoked. The administrator then deletes the certificate of the router from the configuration.

crypto key zeroize rsa
crypto ca certificate chain
 no certificate
Top Expert 2004

The way ssh works, is that the client presents its public key to the server. The server encrypts communication using that public key, and using it, sends its own public key back to the client. That communication can only be decypted using the client's private key. So now the client gets the server's public key and will encypt all future communication to the server using that public key.

Now both sides have each other's public keys and have verified that they can decrypt communication from the other side.
Top Expert 2004
Once the public keys have been established, a session key is negotiated and that creates the "tunnel." No one who wasn't privy to the initial encryption/decryption can know the session key, so it is secure.

When you start a new session, if the server sends you a new public key that is different from the one you already had stored, you generally get a clear warning that it doesn't match previous information.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial