cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
455
Views
0
Helpful
4
Replies
Highlighted
Beginner
Beginner

SSH config options on Nexus 93180YC-FX

Hi.

Is there a difference in using either of these commands to configure ssh with a 2048 bit key.  I'm configuring on a Nexus 93180YC-FX and some Nexus 9348. switches  If so can you explain differences in using either.  Various config guides details different methods.  Not sure the difference or recommended one to use

 

crypto key generate rsa modulus 2048

 

ssh key rsa 2048

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello!

Your explanation is correct! crypto key generate rsa modulus 2048 is not required in NX-OS in order to SSH into the device by default, which differs from traditional IOS network devices. NX-OS automatically generates a 1024-bit RSA keypair by default for its built-in SSH server - if your environment requires SSH servers to have a greater key length, then the ssh key rsa 2048 force command will replace the existing default 1024-bit RSA keypair with a new, 2048-bit RSA keypair.

I hope this helps!

 

-Christopher

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hello!

crypto key generate rsa modulus creates an RSA keypair that can be used for a variety of purposes - most commonly, this is a prerequisite to configuring a Nexus with a PKI (Public Key Infrastructure) Trustpoint/CA. This command is best documented in the "Configuring PKI" chapter of the Nexus 9000 NX-OS Security Configuration Guide. This type of RSA keypair is not automatically generated by the device. The below CLI output shows an example of how to generate and view this keypair.

N9K# show crypto key mypubkey rsa 
N9K# <<< Empty output indicates no keypair exists
N9K# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# crypto key generate rsa modulus 2048
N9K(config)# end
N9K# show crypto key mypubkey rsa
key label: N9K
key size: 2048
exportable: no
key-pair already generated

ssh key rsa 2048 creates a 2048-bit RSA keypair that is used by the built-in SSH server. By default, Nexus 9000 devices running NX-OS 9.3(x) automatically generate a 1024-bit RSA keypair for the SSH server. This command is best documented in the "Configuring SSH and Telnet" chapter of the Nexus 9000 NX-OS Security Configuration Guide. The below CLI output shows an example of how to view the default keypair that is generated, as well as how to generate a new one. Note the force keyword that is used to overwrite the existing SSH keypair that was automatically generated.

N9K# show ssh key rsa 
**************************************
rsa Keys generated:Mon Oct 14 23:57:54 2019

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCQVxlXI/fGGcJvsKe6hrz1+djdr6B7vHYcovNEaUlSrl2Ns1xys8vRy0Y9qHrO8doAUJs+PUSqkhW3jk5yhplETDAndWv6cB50k7DALJ+1pRu1EspOF9u3jPNSqOtTA8b0Z+CvAPyu9Tp4gHT4z1NhI/9os13HDYtuS5PcJH6gaw==

bitcount:1024 <<< This is the default RSA keypair generated by NX-OS on initial configuration
fingerprint:
SHA256:kbo6UwxUXXxKd2l1t8saytLlFaiX/UdJu9nHw2r1eZs
**************************************
N9K# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# ssh key rsa 2048 force
N9K(config)# end
N9K# show ssh key rsa
**************************************
rsa Keys generated:Tue Jan 28 22:25:51 2020

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWavsZsk+KmGkpQaL/fpBMhRLGCGXrvsHjqwlWl9fumRMuYVjAcvWXviBKP2pdQVNkxoeCxaGjWnx4HvTOLnUf7ywKekX77AkcVT7AEPFvx9XgLM4XcYxRt/5DBECZebyPprmDzGHGJkwQ17CdnCQqZlKSvuavpVywgJ720Nc7tVUtchqJ+3b+Fb5WP4+jJo1eiZVqk9OH01lvb/ldRd+B8gO7qvbhzkiP5PKkB4pQHG8ZKInmjT7XCoW3snSMcLHcMUuQLB42BlDsZWWD/ZnJClN+sb73b8Z2IF66Mf/Ohyv8dS+qgDVgvgIYE3L6dhHZV9q5Hv4G7aaBYsVuAAw1

bitcount:2048 <<< New RSA keypair we generated, as evidenced by the changed bitcount
fingerprint:
SHA256:zFyN4+SHIKG90LceQDtAmrQnTDO3zHRYHNhyXqW3BkI
**************************************

I hope that this helps!

 

-Christopher

Highlighted

Hi , thanks for the reply and info.  So am I correct in my understanding...

 

In IOS, to enable ssh between a laptop acting as my ssh client, and IOS switch I would use the following:

'crypto key generate rsa modulus 2048', and apply 'transport input ssh' to the vty lines, etc

 

In the NXOS world, a RSA key pair of RSA 1024 is already generated by default.  To ensure this is 2048 bit, I need to issue:

'ssh key rsa 2048 force'

 

Therefore there is no need to use the 'crypto key generate rsa modulus 2048'  to accomplish this task in NXOS, of simply accessing the switch via ssh from laptop.

 

Thanks

Highlighted

Hello!

Your explanation is correct! crypto key generate rsa modulus 2048 is not required in NX-OS in order to SSH into the device by default, which differs from traditional IOS network devices. NX-OS automatically generates a 1024-bit RSA keypair by default for its built-in SSH server - if your environment requires SSH servers to have a greater key length, then the ssh key rsa 2048 force command will replace the existing default 1024-bit RSA keypair with a new, 2048-bit RSA keypair.

I hope this helps!

 

-Christopher

View solution in original post

Highlighted

Thanks for the confirmation.  Appreciated.