If you have a device with LCOS 8.84 or higher and you have not loaded an individual key into the device, then resetting the configuration will prompt the internal SSH server to try and compile its own device-specific SSH keys directly at the system startup. These include:
- an SSH-2-RSA key with 2048 bit length;
- an SSH-2-DSS key with 1024 bit length (as per FIPS 186-2);
- an SSH-2-ECDSA key with 256, 384 or 521 bit length;
- an SSL-RSA key with 2048 bit length;
which the device stores in its internal file system as ssh_rsakey, ssh_dsakey, ssl_privkey or ssh_ecdsakey.
If key generation is successful, the entry SSH ... host key generated is entered into the SYSLOG as a "notice"; If it fails, the entry SSH: host key generation failed, try later again with '...' is entered as an "alert". The failure to generate a key, for example if there is too little entropy, causes the system to revert to the factory implemented cryptographic key.
Important: When you an update from an older LCOS version to 8.84 or higher without subsequently doing a configuration reset, the device does not generate a device-specific SSH/SSL key. This maintains compatibility with existing installations. However, you can trigger the key generation manually. Enter the following commands in the console:
sshkeygen -t rsa -b 2048 -f ssh_rsakey sshkeygen -t dsa -b 1024 -f ssh_dsakey sshkeygen -t ecdsa -b 256 -f ssh_ecdsakey sshkeygen -t rsa -b 2048 -f ssl_privkey