Manually create custom SSH keys

You have the option to replace the automatically generated SSH/SSL keys with your own RSA, DSA or DSS keys, in order to achieve stronger encryption. A number of alternatives are available here:

The use of an external program is an option if your device has insufficient entropy, so causing key creation with LCOS to fail.

SSH key generation with LCOS

To generate a key pair consisting of a public and a private key, you enter the following command at the console:
sshkeygen [-?|-h] [-q] [-t dsa|rsa|ecdsa|ed25519|ed448] [-b bits] [-f output-file]
-?, -h
Displays a brief help text about the available parameters
-t (dsa|rsa|ecdsa)
This parameter specifies what type of key is generated. SSH supports the following types of keys:
  • RSA keys are most widely used and have a length between 512 and 16384 bits. If possible you should work with keys of 3072 bits in length.
  • DSA keys follow the Digital Signature Standard (DSS) set down by the National Institute of Standards and Technology (NIST) and are typically used in environments which are required to comply with the Federal Information Processing Standard (FIPS). DSA or DSS keys are always 1024 bits long, but they are slower to process than a corresponding RSA key.
  • ECDSA keys are a variant of DSA keys, whereby the device uses elliptic curves for key generation (elliptic curve cryptography, ECC). ECC is an alternative to the conventional signature and key exchange techniques such as RSA and Diffie-Hellman. The main advantage of elliptic curves is that their mathematical properties offer the same key strength as RSA or Diffie-Hellman but with a significantly shorter key length. This provides for better hardware performance. ECC and its integration in SSL and TLS are described in RFCs 5656 and 4492.
  • Ed25519 is a method based on the Edwards-curve Digital Signature Algorithm (EdDSA) (RFC 8709) based on elliptic curves.
  • Ed448 is also a method based on elliptical curves, which is specified in RFC 8709.
If no type is specified, the command generates an RSA key by default.
-b <bits>
This parameter sets the length of the RSA key in bits. If you do not specify a length, the command produces a key with a length of 1024 bits by default.
-f <OutputFile>
These parameters specify the mounting point of the generated key file in the device file system. The choice of mounting point depends on what type key you are generating. The choices available to you are:
  • ssh_rsakey for RSA keys
  • ssh_dsakey for DSA keys
  • ssh_ecdsakey for ECDSA keys
  • ssl_privkey for SSL-RSA keys
  • ssh_ed25519key for Ed25519 keys
  • ssh_ed448key for Ed448 keys
-q
This parameter enables the 'quiet' mode for the key generation. If you set this parameter, LCOS overwrites any existing RSA or DSA keys without asking; there is no information about the progress of the operation. You can, for example, use this parameter in a script to suppress any security prompts for the users.

SSH key generation with Linux systems

Many Linux distributions already feature the OpenSSH package. All you have to do to generate the key file is to enter a simple command into the shell. The syntax corresponds to the LCOS command sshkeygen:

ssh-keygen [-t (dsa|rsa)] [-b <Bits>] [-f <OutputFile>]

The command ssh-keygen -t rsa -b 4096 -f hostkey creates an RSA key of 4096 bits in length, which consists of the private component 'hostkey' and the public component 'hostkey.pub'.

SSH key generation with Windows systems

Windows systems not are inherently capable of compiling SSH keys. You should instead use a suitable utility program such as the free software PuTTYgen.

A guide on how to create an individual key with PuTTYgen is available in the section Generating an SSH keypair with PuTTY. After following the various steps to generate the key, do not use the buttons Save public key and Save private key, but instead choose Conversions > Export OpenSSH key. The resulting OpenSSH private key can then be uploaded into the device without further processing.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo