Generate IOS SSH Server Keys on Startup
When working with Cisco IOS, I use the following EEM script to generate the SSH key on reload if there isn't one present already.
event manager session cli username EEM
event manager applet EEM_SSH_Keygen
event timer cron cron-entry "@reboot"
action 0.0 info type routername
action 0.1 set status "none"
action 1.0 cli command "enable"
action 2.0 cli command "show ip ssh | include ^SSH"
action 2.1 regexp "([ED][^ ]+)" "$_cli_result" result status
action 3.0 if $status eq Disabled
action 3.1 cli command "configure terminal"
action 3.2 cli command "crypto key generate rsa modulus 2048 label $_info_routername"
action 3.3 cli command "end"
action 3.4 end
As for the "event manager session cli username username" configuration command, this only defines how actions appear in the log when the event manager scripts are run. They don't actually perform any kind of authentication. When I set "event manager session cli username blah" on my router (where the username "blah" doesn't exist anywhere in my authentication methods) the script continues to run normally, but configuration events in the log appear as follows:
028089: Jan 29 2015 13:56:55 EST: %SYS-5-CONFIG_I: Configured from console by blah on vty1 (EEM:EEM_SSH_Keygen)
One of the things that I really like about the "@reboot" cron entry is its ability to add items to the router or switch's initialization routine. This is really handy if you want certain debugs to be always active.
Originally published on the Cisco Support Community.