why is domain-name needed for generating SSH keys?

m4rtinm4rtin Member Posts: 170
One needs to define domain-name before it's possible to generate SSH keys:
sw1(config)#crypto key generate rsa 
% Please define a domain-name first.
sw1(config)#ip domain-name test.net
sw1(config)#crypto key generate rsa       
The name for the keys will be: sw1.test.net
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 


Why is domain-name required? Is the domain-name used in key generation?

Comments

  • lrblrb Member Posts: 526
    You can get around it if you use labels of the keys:
    Rack9R1(config)#crypto key generate rsa general-keys 
    % Please define a domain-name first.
    Rack9R1(config)#crypto key generate rsa general-keys  ?
      exportable  Allow the key to be exported
      label       Provide a label
      modulus     Provide number of modulus bits on the command line
      <cr>
    
    Rack9R1(config)#crypto key generate rsa general-keys  label ?
      WORD  RSA keypair label
    
    Rack9R1(config)#crypto key generate rsa general-keys  label R1_KEYS
    The name for the keys will be: R1_KEYS
    Choose the size of the key modulus in the range of 360 to 2048 for your
      General Purpose Keys. Choosing a key modulus greater than 512 may take
      a few minutes.
    
    How many bits in the modulus [512]: 
    % Generating 512 bit RSA keys, keys will be non-exportable...[OK]
    
    Rack9R1(config)#
    Apr 23 06:00:18.633: %SSH-5-ENABLED: SSH 1.99 has been enabled
    

    I'm guessing its just a way to track the keys within the file system, if you look at the below output:

    Rack9R1#show crypto key mypubkey  rsa 
    % Key pair was generated at: 06:00:18 UTC Apr 23 2013
    Key name: R1_KEYS
     Usage: General Purpose Key
     Key is not exportable.
     Key Data:
      305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00AC46B9 01B48258 
      A7729BC3 BF8F28FD 518493F0 08949A7C 9D85005E B25B8C9B 321A9990 3C81B853 
      491CA192 FFC30355 29AE48D9 2DD0270C 5DA7C8F0 45B24127 3F020301 0001
    % Key pair was generated at: 06:00:23 UTC Apr 23 2013
    Key name: R1_KEYS.server
     Usage: Encryption Key
     Key is not exportable.
     Key Data:
      307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D8EE94 38A8A9A1 
      147B6EC3 51D13463 65394BD4 C14A2E92 5DCD5351 4D381516 EC0C946B D44D0B8A 
      D38E16A2 392FA797 DCDE91D1 DB9F8623 C45641BB FB100443 63A081BD C7153709 
      DC31D8D4 ABC52288 1DD3F715 8783A67E 6BD9F2AE 429A7E79 71020301 0001
    

    If you were to cat the public key it would also probably have the hostname + domain name as metadata.
  • m4rtinm4rtin Member Posts: 170
    lrb,

    ok, I understand now. ssh-keygen supports similar functionality:
    ssh-keygen -f /etc/ssh/ssh_host_rsa_key.test -N '' -t rsa -C example@example.org
    

    Result looks like this:
    # cat /etc/ssh/ssh_host_rsa_key.test.pub 
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlptlvV0Hf0jyUFWcEWq3ucgHwh6wNiB2kE7Yy6/CrGRE2UUGXFpelovjQjdRxuKRFfSbnOaZiC73ZGvYswcUe74dHoxjwdbLewhA2XXBIK19IOGlEVIc4JxF/hyBV1JFXEATohNY+NabWhnO/Lie+RyK++3k4y2TaOGz5WWgwmypYE5i4BndUOXPYIsHZ6UvE9ZtFAmrHhRPp9xxahgcoKyT0OOHC8VVm8sFXOJX+6WgTXpaEFPYESWn8sZDnfqFP4cj14v6Gwwixwmn0oYJyvejWAeSZabaRYdMbq/ej25GCCfZuCR7+0wMPvhsEEBk1xz1B+e/dvlSWQCwggzZ5 example@example.org
    #
    
  • dmcneil330dmcneil330 Users Awaiting Email Confirmation Posts: 33 ■■□□□□□□□□
    Doesn't it use the domain-name or key label in the algorithm that generates the key? Kind of like how hashing works?
    CCNP: SWITCH[X] ROUTE[] TSHOOT[]
  • instant000instant000 Member Posts: 1,745
    dmcneil330 wrote: »
    Doesn't it use the domain-name or key label in the algorithm that generates the key? Kind of like how hashing works?

    I see it only as a label. Without knowing how the specific vendor did it, I would not know.

    The formula for "RSA" for example, is designed for using numbers as input. Whether or not a vendor translates this into part of what determines a pseudo random number, for example, I dunno.

    The reason I only think it's a label for the key (so you can keep track of it).

    Look at this command:

    [h=2]crypto key pubkey-chain rsa[/h]
    That command allows you to make your own keys, from the CLI. one command is required to label the key in some way, with either an IP address, or a name.

    Internet Key Exchange Security Protocol Commands  [Support] - Cisco Systems

    If you look here you can see here, it says either specify a label, or it uses the domain name:
    Internet Key Exchange Security Protocol Commands  [Support] - Cisco Systems

    Keep in mind the disclaimer that I don't know how Cisco has implemented the algorithm, so if there is somewhere they use it for seed data, then cool, it matters. Otherwise, it's just a label.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Sign In or Register to comment.