crypto key dss


crypto key { generate | zeroize } dss [ SSH-server | SFTP-client ]

Release Information

Command introduced before JunosE Release 7.1.0.

SSH-server and SSH-client keywords added in JunosE Release 13.3.0.


Controls SSH server daemon and creation/deletion of SSH server host key. This command is not displayed by the show config command.

Use the SSH-server keyword with the crypto key generate dss command to cause the router to function as an SFTP client, generate the SSH server host key and enable the SSH server daemon. If you specify the crypto key generate dss command without this keyword, the behavior is the same as the usage of this command with the SSH-server keyword. Use the SFTP-client keyword with this command to enable the router to generate a public/private key pair and to use this key pair to initiate an SSH session with the SFTP serve. There is no no version.

SSH can be enabled or disabled regardless of the state of the Telnet daemon. If SSH is enabled, use access control lists to limit access through Telnet.

Note: When you perform a stateful SRP switchover operation on a device with a large number of virtual routers (VRs) when SSH is configured on VRs other than the default, SSH can sometimes become disabled. This condition happens if SSH attempts to bind with a VR before the VR becomes reenabled after the restart. In this case, after stateful SRP switchover is completed, if you enter the crypto key zeroize dss command to disable the SSH server daemon, a message is displayed stating that the VR instance is not enabled and prompts you to retry after SSH is reenabled on that VR. After the VR instance is reenabled, you must manually reenable SSH either by accessing the console VTY or creating a Telnet session to the router by using the crypto key generate dss command.



Global Configuration

Related Documentation