Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    crypto key dss


    crypto key { generate | zeroize } dss [ SSH-server | SFTP-client ]

    Release Information

    Command introduced before JunosE Release 7.1.0.

    SSH-server and SSH-client keywords added in JunosE Release 13.3.0.


    Controls SSH server daemon and creation/deletion of SSH server host key. This command is not displayed by the show config command.

    Use the SSH-server keyword with the crypto key generate dss command to cause the router to function as an SFTP client, generate the SSH server host key and enable the SSH server daemon. If you specify the crypto key generate dss command without this keyword, the behavior is the same as the usage of this command with the SSH-server keyword. Use the SFTP-client keyword with this command to enable the router to generate a public/private key pair and to use this key pair to initiate an SSH session with the SFTP serve. There is no no version.

    SSH can be enabled or disabled regardless of the state of the Telnet daemon. If SSH is enabled, use access control lists to limit access through Telnet.

    Note: When you perform a stateful SRP switchover operation on a device with a large number of virtual routers (VRs) when SSH is configured on VRs other than the default, SSH can sometimes become disabled. This condition happens if SSH attempts to bind with a VR before the VR becomes reenabled after the restart. In this case, after stateful SRP switchover is completed, if you enter the crypto key zeroize dss command to disable the SSH server daemon, a message is displayed stating that the VR instance is not enabled and prompts you to retry after SSH is reenabled on that VR. After the VR instance is reenabled, you must manually reenable SSH either by accessing the console VTY or creating a Telnet session to the router by using the crypto key generate dss command.


    • generate—Creates the SSH server host key and enables the daemon
    • zeroize—Deletes the SSH server host key and stops the SSH daemon if it is running. Issuing this command terminates any active client sessions. The next time the router boots after this command is issued, the SSH server daemon is not started.
    • SSH-server—Creates the SSH server host key and enables the daemon. If an SSH server host key is already present on the router, using the crypto key generate dss SSH-server command causes the existing key to be removed and a fresh host key to be generated. When the new host key replaces the older host key, all established SSH connections are terminated. You must reestablish the SSH sessions.
    • SFTP-client—Creates the SSH public/private key pair and uses it to initiate an SSH session with the SFTP server. If a public/private key pair was previously generated and if you issue the crypto key generate dss SFTP-client command to regenerate a fresh SSH key pair, the older key is removed and replaced by the fresh key pair. The active SSH sessions are terminated in such a case.


    Global Configuration

    Published: 2014-08-14