Generating local key pairs
The DSA, RSA, or ECDSA key pairs are required for generating the session key and session ID in the key exchange stage. The key pairs can also be used by a client to authenticate the server. When a client authenticates a server, it compares the public key received from the server with the server public key that it saved locally. If the keys are consistent, the client uses the locally saved server's public key to decrypt the digital signature received from the server. If the decryption succeeds, the server passes the authentication.
Configuration restrictions and guidelines
When you generate local key pairs, follow these restrictions and guidelines:
To support SSH clients that use different types of key pairs, generate DSA, RSA, and ECDSA key pairs on the SSH server.
The public-key local create rsa command generates a server RSA key pair and a host RSA key pair. Each of the key pairs consists of a public key and a private key. In SSH1, the public key in the server key pair of the SSH server is used to encrypt the session key for secure transmission of the session key. Because SSH2 uses the DH algorithm to generate each session key on the SSH server and client, no session key transmission is required. The server key pair is not used in SSH2.
The public-key local create dsa command generates only a DSA host key pair.
SSH1 does not support the DSA algorithm.
The public-key local create ecdsa command generates only an ECDSA host key pair.
Configuration procedure
To generate local key pairs on the SSH server:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Generate local key pairs. | public-key local create { dsa | ecdsa secp256r1 | rsa } | By default, no local key pairs exist. |