why is domain-name needed for generating SSH keys?

m4rtinm4rtin Senior MemberMember Posts: 170
in CCNP
One needs to define domain-name before it's possible to generate SSH keys:
sw1(config)#crypto key generate rsa 
% Please define a domain-name first.
sw1(config)#ip domain-name test.net
sw1(config)#crypto key generate rsa       
The name for the keys will be: sw1.test.net
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:


Why is domain-name required? Is the domain-name used in key generation?
· Share on FacebookShare on Twitter

Comments

  • lrblrb Senior Member Member Posts: 526
    You can get around it if you use labels of the keys:
    Rack9R1(config)#crypto key generate rsa general-keys 
% Please define a domain-name first.
Rack9R1(config)#crypto key generate rsa general-keys  ?
  exportable  Allow the key to be exported
  label       Provide a label
  modulus     Provide number of modulus bits on the command line
  <cr>

Rack9R1(config)#crypto key generate rsa general-keys  label ?
  WORD  RSA keypair label

Rack9R1(config)#crypto key generate rsa general-keys  label R1_KEYS
The name for the keys will be: R1_KEYS
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

Rack9R1(config)#
Apr 23 06:00:18.633: %SSH-5-ENABLED: SSH 1.99 has been enabled

    I'm guessing its just a way to track the keys within the file system, if you look at the below output:

    Rack9R1#show crypto key mypubkey  rsa 
% Key pair was generated at: 06:00:18 UTC Apr 23 2013
Key name: R1_KEYS
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00AC46B9 01B48258 
  A7729BC3 BF8F28FD 518493F0 08949A7C 9D85005E B25B8C9B 321A9990 3C81B853 
  491CA192 FFC30355 29AE48D9 2DD0270C 5DA7C8F0 45B24127 3F020301 0001
% Key pair was generated at: 06:00:23 UTC Apr 23 2013
Key name: R1_KEYS.server
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D8EE94 38A8A9A1 
  147B6EC3 51D13463 65394BD4 C14A2E92 5DCD5351 4D381516 EC0C946B D44D0B8A 
  D38E16A2 392FA797 DCDE91D1 DB9F8623 C45641BB FB100443 63A081BD C7153709 
  DC31D8D4 ABC52288 1DD3F715 8783A67E 6BD9F2AE 429A7E79 71020301 0001

    If you were to cat the public key it would also probably have the hostname + domain name as metadata.
    · Share on FacebookShare on Twitter
  • m4rtinm4rtin Senior Member Member Posts: 170
    lrb,

    ok, I understand now. ssh-keygen supports similar functionality:
    ssh-keygen -f /etc/ssh/ssh_host_rsa_key.test -N '' -t rsa -C [email protected]

    Result looks like this:
    # cat /etc/ssh/ssh_host_rsa_key.test.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlptlvV0Hf0jyUFWcEWq3ucgHwh6wNiB2kE7Yy6/CrGRE2UUGXFpelovjQjdRxuKRFfSbnOaZiC73ZGvYswcUe74dHoxjwdbLewhA2XXBIK19IOGlEVIc4JxF/hyBV1JFXEATohNY+NabWhnO/Lie+RyK++3k4y2TaOGz5WWgwmypYE5i4BndUOXPYIsHZ6UvE9ZtFAmrHhRPp9xxahgcoKyT0OOHC8VVm8sFXOJX+6WgTXpaEFPYESWn8sZDnfqFP4cj14v6Gwwixwmn0oYJyvejWAeSZabaRYdMbq/ej25GCCfZuCR7+0wMPvhsEEBk1xz1B+e/dvlSWQCwggzZ5 [email protected]
#
    · Share on FacebookShare on Twitter
  • dmcneil330dmcneil330 Member Users Awaiting Email Confirmation Posts: 33 ■■□□□□□□□□
    Doesn't it use the domain-name or key label in the algorithm that generates the key? Kind of like how hashing works?
    CCNP: SWITCH[X] ROUTE[] TSHOOT[]
    · Share on FacebookShare on Twitter
  • instant000instant000 Senior Member Member Posts: 1,745
    dmcneil330 wrote: »
    Doesn't it use the domain-name or key label in the algorithm that generates the key? Kind of like how hashing works?

    I see it only as a label. Without knowing how the specific vendor did it, I would not know.

    The formula for "RSA" for example, is designed for using numbers as input. Whether or not a vendor translates this into part of what determines a pseudo random number, for example, I dunno.

    The reason I only think it's a label for the key (so you can keep track of it).

    Look at this command:

    [h=2]crypto key pubkey-chain rsa[/h]
    That command allows you to make your own keys, from the CLI. one command is required to label the key in some way, with either an IP address, or a name.

    Internet Key Exchange Security Protocol Commands  [Support] - Cisco Systems

    If you look here you can see here, it says either specify a label, or it uses the domain name:
    Internet Key Exchange Security Protocol Commands  [Support] - Cisco Systems

    Keep in mind the disclaimer that I don't know how Cisco has implemented the algorithm, so if there is somewhere they use it for seed data, then cool, it matters. Otherwise, it's just a label.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.