Enabling and disabling SSH by generating and deleting host keys
To enable SSH, you generate a DSA or RSA host key on the device. The SSH server on the Brocade device uses this host DSA or RSA key, along with a dynamically generated server DSA or RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it.
While the SSH listener exists at all times, sessions can not be started from clients until a host key is generated. After a host key is generated, clients can start sessions.
To disable SSH, you delete all of the host keys from the device.
When a host key is generated, it is saved to the flash memory of all management modules. When a host key is is deleted, it is deleted from the flash memory of all management modules.
The time to initially generate SSH keys varies depending on the configuration, and can be from a under a minute to several minutes.
SSHv2 RSA host key format is different between FastIron 07.x.xx, 08.0.00 and 08.0.00a software versions .
- When you upgrade from FastIron 7.x.xx, 8.0.00 to 8.0.00a software version , if RSA key is present in FastIron 7.x.xx or 8.0.00 software version, same size will be regenerated in FastIron 08.0.00a software version. Old SSHv2 host key is retained unless they are cleared by the crypto key zeroize command.
- When you downgrade the FastIron software from version 8.0.00a to 8.0.00 or 07.x.xx, consider the following scenarios:
- SSHv2 RSA host key created in FastIron 7.x.xx or 8.0.00 software version and retained in FastIron 8.0.00a-- In this case, booting up with FastIron 7.x.xx or 8.0.00 software versions reads the old format SSHv2 RSA host keys and enables the SSHv2 RSA server on the switch.
- SSHv2 RSA host key created in FastIron 8.0.00a--In this case, booting up with FastIron 7.x.xx or 8.0.00 software versions does not read the new format SSHv2 RSA host keys and SSHv2 server is not enabled on the switch.
SSH host keys created with DSA method is interoperable between FastIron 7.x.xx, 8.0.00 and 8.0.00a software versions.