[c-nsp] Keyword Suggestion for Crypto Key Commands

[John Neiberger]

I posted this elsewhere but I thought I'd post it here just to get some
opinions. Has this happened to you? You have someone who takes a config
from one device, modifies it, and pastes it into another device. You are
using SSH and have disabled Telnet. The vty lines have "transport input
ssh" on them. Unfortunately, the tech forgets to generate the crypto
keys, so you're now locked out of the device and have to drive to the
location to resolve the problem.

Here's my idea for Cisco. One aspect of this problem is that the
"crypto key generate rsa" command does not appear in the configuration,
so it does not get copied to the new device. I would imagine that this
is because you don't want to generate new keys every time the device
boots. What if you were to add a keyword like "if-missing" to the
command so it looked like this:

Router(config)#crypto key gen rsa 512 if-missing

That would only generate a key if one was not already present. Now you
could have this line appear in the config with no bad side effects, and
you no longer have to worry about techs forgetting to do it manually.

What do you think? Bad idea? Good idea? Misguided idea?  :-)

Thanks,
John
--