Cisco ip ssh rsa keypair-name command

I am moving from telnet to SSH remote access for all of my Cisco routers and switches. According to Cisco, with the latest IOS, the ip ssh rsa keypair-name command allows the user to specify the rsa key that is used for SSH connection. Previously, SSH was linked to the first RSA keys that were generated; so there is no way to know which key is used for SSH connection. My questions are:
- What is the security implication if I let the SSH connection linked to the default RSA key?
- What is the advantage to link the SSH connection to a known rsa key?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
1. Default is SSHv1, 3DES and 512bit length is considered very weak and not recommended. SSHv2 supports AES, a more robust and efficient encryption technology.  SSHv2 is also not subject to the same security exploits as SSHv1. Should go for min 2048, if not 1024 bits min (RSA key pair size must be greater than or equal to 768 bits.)

2. If you configure the ip ssh rsa keypair-name command with a key pair name, SSH is enabled if the key pair exists or SSH will be enabled if the key pair is generated later. If you use this command to enable SSH, you are not forced to configure a hostname and a domain name, which was required in SSH Version 1 of the Cisco software.
It is recommended to go for user authentication besides relying on host authentication which the latter is likely the only default key pair while the former is specific to whom is attempting SSH.

Overall do also note -
)Also storing public keys on a server uses memory; therefore, the number of public keys configurable on an SSH server is restricted to ten users, with a maximum of two public keys per user.
)RSA-based user authentication is supported by the Cisco server, but Cisco clients cannot propose public key as an authentication method. If the Cisco server receives a request from an open SSH client for RSA-based authentication, the server accepts the authentication request
)For server authentication, configure the RSA public key of the server manually and configure the ip ssh stricthostkeycheck command on the Cisco SSH client.
leblancAccountingAuthor Commented:
Thank you for the reply. So what is the advantage to link the rsa key that I created with the ssh connection. The link is done with the keypair comand.
btanExec ConsultantCommented:
For client auth, you knowing allow only those coming in client request to connect and for server auth, it serves the first layer of check unique to your server and of a stronger strength. This also helps if you are having many site and just making a backup copy with unique key pair assigned will make each site "unique" and not one site key compromised (due to abuse etc)  rendering whole of other sites compromised as well.
Nonetheless, either way works but we want to be more aware and deterministic especially dealing with crypto related activities. Revocation or renewal of affected keys will be unique to the site
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

leblancAccountingAuthor Commented:
So from the switches management perspective, especially ssh connection from my PC to the switches, it does not matter if I use the default key or a specific key that I created. Correct? The reason I ask is because I have 30 switches that do not support the keypair command with the existing IOS. I do want to upgrade the IOS. But I need to validate the reason for using the keypair command before management approves the upgrade.  Thx
btanExec ConsultantCommented:
yes the default key generated onboard can still be used then - requirement include the Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image.

If your SSH configuration commands are rejected as illegal commands, you have not successfully generated a RSA key pair for your router. Make sure you have specified a host name and domain. Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server.
leblancAccountingAuthor Commented:
"yes the default key generated onboard can still be used then"
ok so there is no need to upgrade the IOS to support  the keypair command. Correct? But if I want to upgrade the IOS, how do I justify the upgrade? Thx
btanExec ConsultantCommented:
if you need SSH access, pls  the Cisco IOS image used must be a k9(crypto) image in order to support SSH. Pls see below requirements on the IOS

SSH was introduced into these Cisco IOS platforms and images:
SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S.
SSH client was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1.3.T.
SSH terminal-line access (also known as reverse-Telnet) was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.2.2.T.
SSH Version 2.0 (SSH v2) support was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E.
As for the justification for upgrade is better security compared to Telnet and newer IOS for higher secure version and update as per any recurrence maintenance etc.

Do also check the below on SSH setting that minimally you can run thru

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.