beautypg.com

Generating and deleting a dsa key pair, Keys – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 84

background image

Enabling and disabling SSH by generating and deleting host keys

To enable SSH, you generate a DSA or RSA host key on the device. The SSH server on the Brocade
device uses this host DSA or RSA key, along with a dynamically generated server DSA or RSA key
pair, to negotiate a session key and encryption method with the client trying to connect to it.

While the SSH listener exists at all times, sessions can not be started from clients until a host key is
generated. After a host key is generated, clients can start sessions.

To disable SSH, you delete all of the host keys from the device.

When a host key is generated, it is saved to the flash memory of all management modules. When a
host key is is deleted, it is deleted from the flash memory of all management modules.

The time to initially generate SSH keys varies depending on the configuration, and can be from a
under a minute to several minutes.

SSHv2 RSA host key format is different between FastIron 07.x.xx, 08.0.00 and 08.0.00a software
versions .

• When you upgrade from FastIron 07.x.xx, 08.0.00 to 08.0.00a software version , if RSA key is

present in FastIron 07.x.xx or 08.0.00 software version, same size will be regenerated in FastIron
08.0.00a software version. Old SSHv2 host key is retained unless they are cleared by the crypto
key zeroize command.

• When you downgrade the FastIron software from version 08.0.00a to 08.0.00 or 07.x.xx, consider

the following scenarios:

SSHv2 RSA host key created in FastIron 07.x.xx or 08.0.00 software version and retained
in FastIron 08.0.00a-- In this case, booting up with FastIron 07.x.xx or 08.0.00 software
versions reads the old format SSHv2 RSA host keys and enables the SSHv2 RSA server
on the switch.

SSHv2 RSA host key created in FastIron 08.0.00a--In this case, booting up with FastIron
07.x.xx or 08.0.00 software versions does not read the new format SSHv2 RSA host keys
and SSHv2 server is not enabled on the switch.

SSH host keys created with DSA method is interoperable between FastIron 07.x.xx, 08.0.00 and
08.0.00a software versions.

Generating and deleting a DSA key pair

To generate a DSA key pair, enter the following command.

device(config)#crypto key generate dsa

To delete the DSA host key pair, enter the following command.

device(config)#crypto key zeroize dsa

Syntax: crypto key { generate | zeroize } dsa

The generate keyword places a host key pair in the flash memory and enables SSH on the device, if it
is not already enabled.

The zeroize keyword deletes the host key pair from the flash memory. This disables SSH if no other
server host keys exist on the device.

The dsa keyword specifies a DSA host key pair. This keyword is optional. If you do not enter it, the
command crypto key generate generates a DSA key pair by default, and the command crypto key
zeroize works as described in

Deleting DSA and RSA key pairs

on page 85.

Enabling and disabling SSH by generating and deleting host keys

84

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: