topic Re: SSH to ISR Requires Key Size of 1024? in Network Security

SSH to ISR Requires Key Size of 1024?

Matthew Martin — Wed, 18 Dec 2024 21:14:58 GMT

Hello All,

A few months back I noticed my WSL Linux was requiring me to add this "ssh -o RequiredRSASize=1024 user@ipaddr" to some hosts that I ssh to, this included a few servers and some Cisco gear.

I'm guessing my WSL had some update or openssh was updated, or something along those lines increasing the default minimum key size...

I have two ISR-4451X's and one of them is requiring me to include that option and the other is not. I'm guessing I need to generate a new rsa key on the one 4451X.

These ISRs are where some of our ISP connections are plugged in so I wanted to be sure I got this right... Could someone tell me what commands are needed to do this? And if it would require any reboot, or would cause any disruption in traffic?

!!! Box needing the extra cmd line option while ssh'ing: 4451X-HQ1#show run all | inc rsa ip ssh server algorithm hostkey x509v3-ssh-rsa rsa-sha2-512 rsa-sha2-256 ssh-rsa ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 rsa-sha2-256 rsa-sha2-512 !!! Box working normally: 4451X-HQ2#show run all | inc rsa rsakeypair TP-self-signed-3313371257 ip ssh server algorithm hostkey x509v3-ssh-rsa rsa-sha2-512 rsa-sha2-256 ssh-rsa ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 rsa-sha2-256 rsa-sha2-512

And on my ssh_config in WSL I have the following. I think at some point I tried adding ciphers in order to not need that extra CLI option. But didn't work:

# cat /etc/ssh/ssh_config | grep Ciphers # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc #Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Thanks in Advance,
Matt

Re: SSH to ISR Requires Key Size of 1024?

MHM Cisco World — Wed, 18 Dec 2024 21:25:12 GMT

you need to generate key in both SW

show crypto key mypubkey rsa <<- use this command to check if key is add

TP-self key <<- this key for smart license it not relate to ssh

MHM

Re: SSH to ISR Requires Key Size of 1024?

Rob Ingram — Wed, 18 Dec 2024 21:21:30 GMT

@Matthew Martin try to zerorise the current key and create a new RSA key.

crypto key generate rsa modulus 3072 label SSH_KEY
ip ssh rsa keypair-name SSH_KEY

Once done, run "show ip ssh" and this will confirm that "SSH_KEY"

More information - https://integrate.uk.com/securing-ios-xe-ssh/

Re: SSH to ISR Requires Key Size of 1024?

Matthew Martin — Wed, 18 Dec 2024 22:57:03 GMT

Thanks Rob!

Got the new key generated and assigned to ssh. All is well now!

4451X-HQ1#show ip ssh SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password ............... cut............. ............... Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 2048 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): SSH_KEY ssh-rsa AAA3...........................

Thanks Again,
Matt