cancel
Showing results for 
Search instead for 
Did you mean: 

What is the minimum recommended crypto key setting?

tommy_steele
New Contributor II

I've configured "crypto key gen" which generates a 1024 DSA key but when I putty/ssh in, I get this warning:  The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold.

Should I go with "crypto key gen rsa 2048" or something similar?  

Thanks.

1 ACCEPTED SOLUTION

BenBeck
Moderator
Moderator

The warning level is generally a client-side configuration option.

In regards to better key gen options:

*what you mentioned

SSH@ICX(config)#crypto key gen rsa modulus 2048

and/or

SSH@ICX(config)#crypto key generate ec size 384

There is more information about encryption methods in 'show ip ssh config'. Supported methods change a bit from code to code. Our security guide is a good place to look. Here is the 8095 version, but you can find the same document for whatever code you are running:

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-8F5FD2C5-0AC4-4EBA-BEE8-E4E...

From mentioned page > Home > RUCKUS ICX Switches > Pick code train on left side > Security guide for SSH items

Hope that helps!

 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

View solution in original post

1 REPLY 1

BenBeck
Moderator
Moderator

The warning level is generally a client-side configuration option.

In regards to better key gen options:

*what you mentioned

SSH@ICX(config)#crypto key gen rsa modulus 2048

and/or

SSH@ICX(config)#crypto key generate ec size 384

There is more information about encryption methods in 'show ip ssh config'. Supported methods change a bit from code to code. Our security guide is a good place to look. Here is the 8095 version, but you can find the same document for whatever code you are running:

https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-8F5FD2C5-0AC4-4EBA-BEE8-E4E...

From mentioned page > Home > RUCKUS ICX Switches > Pick code train on left side > Security guide for SSH items

Hope that helps!

 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us