01-28-2020 09:39 AM
Hi.
Is there a difference in using either of these commands to configure ssh with a 2048 bit key. I'm configuring on a Nexus 93180YC-FX and some Nexus 9348. switches If so can you explain differences in using either. Various config guides details different methods. Not sure the difference or recommended one to use
crypto key generate rsa modulus 2048
ssh key rsa 2048
Thanks
Solved! Go to Solution.
01-30-2020 04:42 AM
Hello!
Your explanation is correct! crypto key generate rsa modulus 2048 is not required in NX-OS in order to SSH into the device by default, which differs from traditional IOS network devices. NX-OS automatically generates a 1024-bit RSA keypair by default for its built-in SSH server - if your environment requires SSH servers to have a greater key length, then the ssh key rsa 2048 force command will replace the existing default 1024-bit RSA keypair with a new, 2048-bit RSA keypair.
I hope this helps!
-Christopher
01-28-2020 02:30 PM
Hello!
crypto key generate rsa modulus creates an RSA keypair that can be used for a variety of purposes - most commonly, this is a prerequisite to configuring a Nexus with a PKI (Public Key Infrastructure) Trustpoint/CA. This command is best documented in the "Configuring PKI" chapter of the Nexus 9000 NX-OS Security Configuration Guide. This type of RSA keypair is not automatically generated by the device. The below CLI output shows an example of how to generate and view this keypair.
N9K# show crypto key mypubkey rsa
N9K# <<< Empty output indicates no keypair exists
N9K# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# crypto key generate rsa modulus 2048
N9K(config)# end
N9K# show crypto key mypubkey rsa
key label: N9K
key size: 2048
exportable: no
key-pair already generated
ssh key rsa 2048 creates a 2048-bit RSA keypair that is used by the built-in SSH server. By default, Nexus 9000 devices running NX-OS 9.3(x) automatically generate a 1024-bit RSA keypair for the SSH server. This command is best documented in the "Configuring SSH and Telnet" chapter of the Nexus 9000 NX-OS Security Configuration Guide. The below CLI output shows an example of how to view the default keypair that is generated, as well as how to generate a new one. Note the force keyword that is used to overwrite the existing SSH keypair that was automatically generated.
N9K# show ssh key rsa
**************************************
rsa Keys generated:Mon Oct 14 23:57:54 2019
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCQVxlXI/fGGcJvsKe6hrz1+djdr6B7vHYcovNEaUlSrl2Ns1xys8vRy0Y9qHrO8doAUJs+PUSqkhW3jk5yhplETDAndWv6cB50k7DALJ+1pRu1EspOF9u3jPNSqOtTA8b0Z+CvAPyu9Tp4gHT4z1NhI/9os13HDYtuS5PcJH6gaw==
bitcount:1024 <<< This is the default RSA keypair generated by NX-OS on initial configuration
fingerprint:
SHA256:kbo6UwxUXXxKd2l1t8saytLlFaiX/UdJu9nHw2r1eZs
**************************************
N9K# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# ssh key rsa 2048 force
N9K(config)# end
N9K# show ssh key rsa
**************************************
rsa Keys generated:Tue Jan 28 22:25:51 2020
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWavsZsk+KmGkpQaL/fpBMhRLGCGXrvsHjqwlWl9fumRMuYVjAcvWXviBKP2pdQVNkxoeCxaGjWnx4HvTOLnUf7ywKekX77AkcVT7AEPFvx9XgLM4XcYxRt/5DBECZebyPprmDzGHGJkwQ17CdnCQqZlKSvuavpVywgJ720Nc7tVUtchqJ+3b+Fb5WP4+jJo1eiZVqk9OH01lvb/ldRd+B8gO7qvbhzkiP5PKkB4pQHG8ZKInmjT7XCoW3snSMcLHcMUuQLB42BlDsZWWD/ZnJClN+sb73b8Z2IF66Mf/Ohyv8dS+qgDVgvgIYE3L6dhHZV9q5Hv4G7aaBYsVuAAw1
bitcount:2048 <<< New RSA keypair we generated, as evidenced by the changed bitcount
fingerprint:
SHA256:zFyN4+SHIKG90LceQDtAmrQnTDO3zHRYHNhyXqW3BkI
**************************************
I hope that this helps!
-Christopher
01-29-2020 08:43 AM
Hi , thanks for the reply and info. So am I correct in my understanding...
In IOS, to enable ssh between a laptop acting as my ssh client, and IOS switch I would use the following:
'crypto key generate rsa modulus 2048', and apply 'transport input ssh' to the vty lines, etc
In the NXOS world, a RSA key pair of RSA 1024 is already generated by default. To ensure this is 2048 bit, I need to issue:
'ssh key rsa 2048 force'
Therefore there is no need to use the 'crypto key generate rsa modulus 2048' to accomplish this task in NXOS, of simply accessing the switch via ssh from laptop.
Thanks
01-30-2020 04:42 AM
Hello!
Your explanation is correct! crypto key generate rsa modulus 2048 is not required in NX-OS in order to SSH into the device by default, which differs from traditional IOS network devices. NX-OS automatically generates a 1024-bit RSA keypair by default for its built-in SSH server - if your environment requires SSH servers to have a greater key length, then the ssh key rsa 2048 force command will replace the existing default 1024-bit RSA keypair with a new, 2048-bit RSA keypair.
I hope this helps!
-Christopher
01-30-2020 04:44 AM
Thanks for the confirmation. Appreciated.
12-04-2022 11:25 PM
Hi Chris!
Thank you for your good sharing. May I ask, does implementing the "ssh key rsa 2048 force" command will impact the switch's current running traffic/operation? Planning to do it but worried it might impact clients' production.
Appreciate your kind help.
Thank you!
12-06-2022 06:05 PM
Hello!
This is a very low-risk command. It does not interrupt your existing SSH session to the switch; the new SSH key is used on the next SSH session to the switch. It has an exceptionally low chance of impacting any control plane protocols as well, so I would say it's safe to execute in a production environment.
Thank you!
-Christopher
12-07-2022 07:04 PM
Alright thank you so much for your help!
Really appreciate it!
02-22-2023 09:02 AM
Is there a way to keep the RSA key static? The situation is that when I am restoring a configuration, I am currently scp'ing it to startup and reloading the nexus. On reboot, it creates a new ssh host key and that breaks my automation until I delete the known hosts. This only happens when I restore by copying to startup... Or is there a better method to restoring the configuration on the switch like just copying the file to bootflash:startup.cfg or whatever the filename is?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: