Note that we have created a bit key in this example. In general, longer keys are more secure, but also require considerably more computing time to generate. SSH Communications Security Corporation, the original developer of the SSH protocol, currently recommends a key length of bits for most applications.
As you can see, the router now has a signature key and an encryption key where it previously had only a general purpose key. However, it is important to remember that this is only the public key. There is also a corresponding private key that you cannot view on the router. The private key is what the router uses to encrypt things that it sends. The public key can decrypt anything encrypted with the private key. Every device that this router shares encrypted information with will need a copy of the public key, but the private key is secret.
As a side effect of this, the public key provides an excellent authentication system. If a remote device's public key successfully decrypts a message from that device, then you know that this message must have been encrypted with that device's private key. And, consequently, if the private key is really private, the message must actually have been sent by that device.
When you use these keys on routers, we highly recommend using the cut-and-paste feature on your terminal rather than trying to type all of this in manually. A single typographical error in this sequence will make the key useless. Note, however, that there is an inherent security risk in copying and pasting a key like this over a network. If you are using an insecure protocol like Telnet, the packet can be intercepted, and the key information is easily extracted.
So you should avoid doing this over untrusted networks, or you should use a more secure access method such as SSH to access the routers. We discuss using SSH for router access in Recipe 3. Previous page. Table of content. Next page. External Software Packages Appendix 1.
Authors: Kevin Dooley , Ian Brown. The redundancy keyword was introduced. The range value for the modulus keyword value is extended from to bits to to bits. Use this command to generate RSA key pairs for your Cisco device such as a router.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys. Note Before issuing this command, ensure that your router has a hostname and IP domain name configured with the hostname and ip domain-name commands. You will be unable to complete the crypto key generate rsa command without a hostname and IP domain name. This situation is not true when you generate only a named key pair. There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys.
When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys. If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys.
With special-usage keys, each key is not unnecessarily exposed. Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair. Named Key Pairs If you generate a named key pair using the key-labelargument, you must also specify the usage-keys keyword or the general-keys keyword.
Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. The longer the modulus, the stronger the security. However a longer modules takes longer to generate see the table below for sample times and takes longer to use. A length of less than bits is normally not recommended.
In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of bits. The largest private RSA key modulus is bits. Therefore, the largest RSA private key a router may generate or import is bits. The recommended modulus for a CA is bits; the recommended modulus for a client is bits. Additional limitations may apply when RSA keys are generated by cryptographic hardware.
Specifying a Storage Location for RSA Keys When you issue the crypto key generate rsa command with the storage devicename : keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token.
The private key never leaves the USB token and is not exportable. The public key is exportable. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. Keys that do not reside on a token are saved to or deleted from nontoken storage locations when the copyor similar command is issued. Jan 7 The following example generates special-usage RSA keys: Router config crypto key generate rsa usage-keys The name for the keys will be: myrouter.
So I assume other Macs are on lower versions. Check the OpenSSL version used. RSA should be the default type. What if you omit the -t rsa option altogether? That's what's driving me crazy. Even if I omit the -t rsa on my mac working one , it generates RSA correctly. I've had the same problem. As workaround I've used older version of openssh to generate key. Version 7.
Show 1 more comment. Sorted by: Reset to default. Highest score default Date modified newest first Date created oldest first. Improve this answer. Mark Ribau 1 1 silver badge 5 5 bronze badges. The default export publickey format is indeed rfc, but the format in the Q is an internal privatekey format and is OpenSSH's 'new' format, which didn't exist in !
I'm not able to edit the answer but please be clear that 1. You do NOT need to downgrade for a one-off key generation. Just add the -m PEM — sdoxsee. Thank you!! Add a comment. Like I already mentioned in the comments on the accepted answer. What's not clear in the accepted answer is that you don't need to create a new key pair.
You can take your existing key and convert them with that command. It overwrites the file, so I think it's a good idea to make a backup before, just in case. Thanks for adding instructions on how to convert an existing private key to RSA format. Just saved my bacon! Brett Sutton Brett Sutton 3 3 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook.
Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. As you can see the comment is appended in clear text to the end of the public key file. To alter the comment just edit the public key file with a plain text editor such as nano or vim.
To add a comment to the public key file when generating the key add to the key generation command -C "you comment". Notice that each copy of a public key can have its own comment and you cannot retrieve the comment from the private key.
Passphrases allow you to prevent unauthorized usage of your key by meaning of protecting the key itself by a password. Although your ssh directory holding the private keys should be unaccessible to other users, the root user of the system, or anyone who can achieve is privileges can access your key and copy it.
In this case the passphrase will prevent him from using it. To add a passphrase to a key just type it when prompted during the key generation process. Keep in mind that the password must be at least 5 characters long. A good passphrase, as I said before, should be at least 10 characters long, and consist of random upper and lower case letters, numbers and symbols.
While the passphrase boosts the security of the key, under some conditions you may want to leave it empty. Leaving the passphrase empty allows you to use the key from within scripts, for example to transfer a file via scp. While passphraseless keys are very useful for scripts just remember to only use them at trusted machines.
To change the passphrase execute:. After this you will be prompted to enter the location of your private key and enter twice the new passphrase. Feel free to share your public key, as its name suggests, it should be public. Keep in mind that your private key should be kept private. Thanks Guy. I need the quick howto and the description of DSA vs. RSA made it simple and clear which to use.
Thank you. I never came across such problem, it looks like there is something weird in the your ssh configuration. Good article — very clear and concise. I like the way the information is provided. Indeed the information gives a very clear understanding. Can I use rsa and dsa? Are they going to conflict each other? Both are widely used so I think they should be good enough. I think it is best to use it on a computer which only you use. I think this article was great.
Is it possible to require users to enter a passphrase prompted during the key generation process? You could write a wrapper around it. Permission denied publickey,password,keyboard-interactive. Connection closed. Try running the sshd daemon in debug mode and see its output. I have it set up and working already. However, I initially used a bit key. Apparently, this is not enough although many say it is. Would using a larger key or even bits increase overhead?
This is a phone, after all. Hi, could you tell us first what is ssh-keygen? I write it on my windows 7 and it doesnt recognize the command… Thanks. I have what I already know is a stupid question. How many printed characters do the various key lengths correspond to?