Generating local key pairs

The DSA, ECDSA, or RSA key pairs on the SSH server are required for generating the session keys and session ID in the key exchange stage. They can also be used by a client to authenticate the server. When a client authenticates the server, it compares the public key received from the server with the server's public key that the client saved locally. If the keys are consistent, the client uses the locally saved server's public key to decrypt the digital signature received from the server. If the decryption succeeds, the server passes the authentication.

The SSH application starts when you execute an SSH server command on the device. If the device does not have RSA key pairs with default names, the device automatically generates one RSA server key pair and one RSA host key pair. Both key pairs use their default names. You can also use the public-key local create command to generate DSA, ECDSA, or RSA key pairs on the device.

Configuration restrictions and guidelines

When you generate local key pairs, follow these restrictions and guidelines:

Configuration procedure

To generate local key pairs on the SSH server:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Generate local key pairs.

public-key local create { dsa | ecdsa secp256r1 | rsa }

By default, no local key pairs exist on the server.