topic SSH will not enable on ISR4431 in Network Access Control

SSH will not enable on ISR4431

zstamm — Thu, 02 Aug 2018 20:02:48 GMT

I am working on a ISR4431 that is running Cisco IOS XE Software, Version 16.03.06. For some reason, SSH version 2 will not activate on it.

I get an error message stating that I need to generate keys greater than 768 bytes for SSH version 2 to work. I have generated keys that are 4096 bytes in length. There are definitely keys in the key store, but for some reason they are not used. Am I not generating the correct type of key? What is the command looking for?

# show crypto key mypubkey all

% Key pair was generated at: 23:51:41 EST May 11 2018
Key name: CISCO_IDEVID_SUDI
Key type: RSA KEYS
On Cryptographic Device: act2 (label=act2, key index=24)
Usage: General Purpose Key
Key is not exportable.
Key Data:
<REMOVED>
% Key pair was generated at: 13:54:26 EST Aug 2 2018
Key name: XXXXXXXXXXXXXXXXX.XXXX.org
Key type: RSA KEYS
Storage Device: not specified
Usage: Encryption Key
Key is not exportable. Redundancy enabled.
Key Data:
<REMOVED>
% Key pair was generated at: 13:56:34 EST Aug 2 2018
Key name: XXXXXXXXXXXXXXXXX.XXXX.org.server
Key type: RSA KEYS
Storage Device: not specified
Usage: Encryption Key
Key is not exportable. Redundancy enabled.
Key Data:
<REMOVED>

Re: SSH will not enable on ISR4431

Rob Ingram — Thu, 02 Aug 2018 20:13:40 GMT

Hi,
Try "crypto key zeroize rsa" then recreate the key pair.

This works for me:-
ip ssh version 2
ip domain-name DOMAIN.NAME
crypto key generate rsa modulus 2048

Optional:-
ip ssh client algorithm encryption aes256-ctr aes192-ctr aes12-ctr
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes12-ctr
ip ssh server algorithm mac hmac-sha1
ip ssh dh min size 2048

HTH

Re: SSH will not enable on ISR4431

zstamm — Thu, 02 Aug 2018 20:33:48 GMT

I tried zeroizing the RSA keys several times. I get the same error. It acts like the keys are not there.

I haven't tried the optional configurations that you posted. Does that just change the hash algorithm?

Re: SSH will not enable on ISR4431

Rob Ingram — Thu, 02 Aug 2018 20:39:25 GMT

What is the actually error you get? At what point do you get this error, when you input the command or when you attempt to connect?

Yeah, those commands are optional, just defining the algorithms to use.

Re: SSH will not enable on ISR4431

Leo Laohoo — Thu, 02 Aug 2018 22:08:55 GMT

cryp key generate rsa general-keys modulus 2048

Re: SSH will not enable on ISR4431

Karsten Iwen — Fri, 03 Aug 2018 07:57:24 GMT

I assume (it's hard to tell with this limited information) that you configured the key with a label, but did not specify that label when configuring SSH. Follow these steps closely and it really should work:

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

Re: SSH will not enable on ISR4431

zstamm — Fri, 03 Aug 2018 13:18:28 GMT

I just noticed that the command "ip ssh rsa keypair-name <SSH-KEY Label>" isn't in most documentation or training materials. Is this a new step on this firmware or platform?

Re: SSH will not enable on ISR4431

Karsten Iwen — Fri, 03 Aug 2018 15:49:47 GMT

This command was introduced in 12.3(4)T, that's really long ago. And yes, it seems that many course designers are not aware of this. Still, I would consider this configuration a best practice.