Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
0
Helpful
1
Replies

CSCvu10721 - SSH connection getting rejected FIPS mode enable

bahoug
Level 1
Level 1

‎04-11-2023 02:52 PM - edited ‎04-11-2023 02:53 PM

I hit this bug on 10.2.5. https://bst.cisco.com/bugsearch/bug/CSCvu10721

If the fix/workaround is to delete the RSA key and only have the ecdsa 521 key I should be able to enable fips mode without the RSA key right? I would fully expect to be able to enable fips mode with just he ecdsa 521 key.

TOR# show ssh key
**************************************
could not retrieve rsa key information
**************************************
could not retrieve dsa key information
**************************************
ecdsa Keys generated:Tue Apr 11 17:53:13 2023

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF1Lubb+4v6TupuNfA6dUpvSNxYGfzgWi8Fyjua9OtFQCaTPKQ7+P8bn4yhKlGTvTrwufDnm/+0WWcmqL30ET3AzQCkfLKPFJCTYpJIYrPFmyFEgsbacYJgrXVTo1TIbeLFm6a0msl+zWiSrtViB4O4i8WNiblf1
OCx5ef44uAaXUmogA==

TOR(config)# fips mode enable 
As per NIST requirements, the minimum RSA Key Size has to be 2048 in FIPS Mode
Generate RSA key with 2048 bits

Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎04-11-2023 05:44 PM

could not retrieve rsa key information   <<< you do not have RSA Keys.

Connect to the console  and follow below steps :

N9k-Switch# conf t
N9k-Switch(config)# no feature ssh
N9k-Switch(config)# no ssh key rsa
N9k-Switch(config)# ssh key rsa 2048
N9k-Switch(config)# feature ssh
New SSH Key has a bitcount of 2048:
N9k-Switch(config)# show ssh key (check RSA keys)

N9k-Switch(config)# fips mode enable (this required reload the switch)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents