[c-nsp] Keyword Suggestion for Crypto Key Commands

Luan Nguyen luan.nguyen at mci.com
Fri Sep 9 10:25:06 EDT 2005


I would open a TAC case for bug :) since the router allows you to do
transport input ssh while ssh is not turned on...it should give you an error
like..."please enable ssh first..."

-luan


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Neiberger
Sent: Thursday, September 08, 2005 4:45 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Keyword Suggestion for Crypto Key Commands

I posted this elsewhere but I thought I'd post it here just to get some
opinions. Has this happened to you? You have someone who takes a config
from one device, modifies it, and pastes it into another device. You are
using SSH and have disabled Telnet. The vty lines have "transport input
ssh" on them. Unfortunately, the tech forgets to generate the crypto
keys, so you're now locked out of the device and have to drive to the
location to resolve the problem.

Here's my idea for Cisco. One aspect of this problem is that the
"crypto key generate rsa" command does not appear in the configuration,
so it does not get copied to the new device. I would imagine that this
is because you don't want to generate new keys every time the device
boots. What if you were to add a keyword like "if-missing" to the
command so it looked like this:

Router(config)#crypto key gen rsa 512 if-missing

That would only generate a key if one was not already present. Now you
could have this line appear in the config with no bad side effects, and
you no longer have to worry about techs forgetting to do it manually.

What do you think? Bad idea? Good idea? Misguided idea?  :-)

Thanks,
John
--
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list