Generating a DSA or RSA key pair
In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session
key and session ID and for the client to authenticate the server.
To generate a DSA or RSA key pair on the SSH server:
To do...
1.
Enter system view.
2.
Generate a DSA or RSA key
pair.
NOTE:
For more information about public-key local create, see
•
To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on
•
the SSH server.
The public-key local create rsa command generates a server RSA key pair and a host RSA key pair.
•
Each of the key pairs consists of a public key and a private key. The public key in the server key pair
of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key.
Because SSH2.0 uses the DH algorithm to generate the session key on the SSH server and client, no
session key transmission is required in SSH2.0, and the server key pair is not used.
The length of the modulus of RSA server keys and host keys must range from 512 to 2048 bits. Some
•
SSH2.0 clients require that the length of the key modulus be at least 768 bits on the SSH server side.
The public-key local create dsa command generates only the host key pair. SSH1 does not support
•
the DSA algorithm.
The length of the modulus of DSA host keys must range from 512 to 2048 bits. Some SSH2.0 clients
•
require that the length of the key modulus be at least 768 bits on the SSH server side.
Enabling the SSH server function
To do...
1.
Enter system view.
2.
Enable the SSH server
function.
Command...
system-view
public-key local create { dsa | rsa
}
Security Command Reference
Command...
system-view
ssh server enable
309
Remarks
—
Required.
By default, neither DSA key pair
nor RSA key pair exists.
.
Remarks
—
Required
Disabled by default