Cisco Cisco Expressway Maintenance Manual
Changing the default SSH key
Using the default key means that SSH sessions established to the Expressway may be vulnerable to "man-
in-the-middle" attacks, so you are recommended to generate new SSH keys which are unique to your
Expressway.
in-the-middle" attacks, so you are recommended to generate new SSH keys which are unique to your
Expressway.
An alarm message "Security alert: the SSH service is using the default key” is displayed if your Expressway
is still configured with its factory default SSH key.
is still configured with its factory default SSH key.
To generate a new SSH key for the Expressway:
1. Log into the CLI as root.
2. Type regeneratesshkey.
3. Type exit to log out of the root account.
4. Log in to the web interface.
5. Go to
Maintenance > Restart
. You are taken to the
Restart
page.
6. Check the number of calls currently in place.
7. Click Restart system and then confirm the restart when asked.
If you have a clustered Expressway system you must generate new SSH keys for every cluster peer. Log
into each peer in turn and follow the instructions above. You do not have to decluster or disable replication.
into each peer in turn and follow the instructions above. You do not have to decluster or disable replication.
When you next log in to the Expressway over SSH you may receive a warning that the key identity
of the Expressway has changed. Please follow the appropriate process for your SSH client to
suppress this warning.
of the Expressway has changed. Please follow the appropriate process for your SSH client to
suppress this warning.
If your Expressway is subsequently downgraded to an earlier version of Expressway firmware, the
default SSH keys will be restored.
default SSH keys will be restored.
Cisco Expressway Administrator Guide (X8.2)
Page 280 of 378
Reference material
Changing the default SSH key