[c-nsp] Keyword Suggestion for Crypto Key Commands
John Neiberger
jneiberger at gmail.com
Fri Sep 9 10:32:27 EDT 2005
Hey, that's a pretty good suggestion! It solves the problem a
different way, and it doesn't cause the potential problems that might
arise from having the crypto line in the config.
On 9/9/05, Luan Nguyen <luan.nguyen at mci.com> wrote:
> I would open a TAC case for bug :) since the router allows you to do
> transport input ssh while ssh is not turned on...it should give you an error
> like..."please enable ssh first..."
>
> -luan
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Neiberger
> Sent: Thursday, September 08, 2005 4:45 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Keyword Suggestion for Crypto Key Commands
>
> I posted this elsewhere but I thought I'd post it here just to get some
> opinions. Has this happened to you? You have someone who takes a config
> from one device, modifies it, and pastes it into another device. You are
> using SSH and have disabled Telnet. The vty lines have "transport input
> ssh" on them. Unfortunately, the tech forgets to generate the crypto
> keys, so you're now locked out of the device and have to drive to the
> location to resolve the problem.
>
> Here's my idea for Cisco. One aspect of this problem is that the
> "crypto key generate rsa" command does not appear in the configuration,
> so it does not get copied to the new device. I would imagine that this
> is because you don't want to generate new keys every time the device
> boots. What if you were to add a keyword like "if-missing" to the
> command so it looked like this:
>
> Router(config)#crypto key gen rsa 512 if-missing
>
> That would only generate a key if one was not already present. Now you
> could have this line appear in the config with no bad side effects, and
> you no longer have to worry about techs forgetting to do it manually.
>
> What do you think? Bad idea? Good idea? Misguided idea? :-)
>
> Thanks,
> John
> --
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list