If you have not loaded an individual key into the device, then resetting the configuration will prompt the internal SSH server to try and compile its own device-specific SSH keys directly at the system startup. These include:
- an SSH-2-RSA key with 2048 bit length;
- an SSH-2-DSS key with 1024 bit length (as per FIPS 186-2);
- an SSH-2-ECDSA key with 256, 384 or 521 bit length;
- an SSL-RSA key with 2048 bit length;
which the device stores in its internal file system as ssh_rsakey, ssh_dsakey, ssl_privkey or ssh_ecdsakey.
If key generation is successful, the entry SSH ... host key generated is entered into the SYSLOG as a "notice"; If it fails, the entry SSH: host key generation failed, try later again with '...' is entered as an "alert". The failure to generate a key, for example if there is too little entropy, causes the system to revert to the factory implemented cryptographic key.
Important: When you an update from an older LCOS version to 8.84 or higher without subsequently doing a configuration
reset, the device does not generate a device-specific SSH/SSL key. This maintains
compatibility with existing installations. However, you can trigger the key generation
manually. Enter the following commands in the console:
sshkeygen -t rsa -b 2048 -f ssh_rsakey sshkeygen -t dsa -b 1024 -f ssh_dsakey sshkeygen -t ecdsa -b 256 -f ssh_ecdsakey sshkeygen -t rsa -b 2048 -f ssl_privkey
