Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4626
Views
10
Helpful
8
Replies

SSH config options on Nexus 93180YC-FX

Go to solution
NGJ
Level 1
Level 1

‎01-28-2020 09:39 AM

Hi.

Is there a difference in using either of these commands to configure ssh with a 2048 bit key.  I'm configuring on a Nexus 93180YC-FX and some Nexus 9348. switches  If so can you explain differences in using either.  Various config guides details different methods.  Not sure the difference or recommended one to use

 

crypto key generate rsa modulus 2048

 

ssh key rsa 2048

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee
In response to NGJ

‎01-30-2020 04:42 AM

Hello!

Your explanation is correct! crypto key generate rsa modulus 2048 is not required in NX-OS in order to SSH into the device by default, which differs from traditional IOS network devices. NX-OS automatically generates a 1024-bit RSA keypair by default for its built-in SSH server - if your environment requires SSH servers to have a greater key length, then the ssh key rsa 2048 force command will replace the existing default 1024-bit RSA keypair with a new, 2048-bit RSA keypair.

I hope this helps!

 

-Christopher

View solution in original post

8 Replies 8

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee

‎01-28-2020 02:30 PM

Hello!

crypto key generate rsa modulus creates an RSA keypair that can be used for a variety of purposes - most commonly, this is a prerequisite to configuring a Nexus with a PKI (Public Key Infrastructure) Trustpoint/CA. This command is best documented in the "Configuring PKI" chapter of the Nexus 9000 NX-OS Security Configuration Guide. This type of RSA keypair is not automatically generated by the device. The below CLI output shows an example of how to generate and view this keypair.

N9K# show crypto key mypubkey rsa 
N9K#                               <<< Empty output indicates no keypair exists
N9K# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# crypto key generate rsa modulus 2048
N9K(config)# end
N9K# show crypto key mypubkey rsa 
key label: N9K
key size: 2048
exportable: no
key-pair already generated

ssh key rsa 2048 creates a 2048-bit RSA keypair that is used by the built-in SSH server. By default, Nexus 9000 devices running NX-OS 9.3(x) automatically generate a 1024-bit RSA keypair for the SSH server. This command is best documented in the "Configuring SSH and Telnet" chapter of the Nexus 9000 NX-OS Security Configuration Guide. The below CLI output shows an example of how to view the default keypair that is generated, as well as how to generate a new one. Note the force keyword that is used to overwrite the existing SSH keypair that was automatically generated.

N9K# show ssh key rsa 
**************************************
rsa Keys generated:Mon Oct 14 23:57:54 2019

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCQVxlXI/fGGcJvsKe6hrz1+djdr6B7vHYcovNEaUlSrl2Ns1xys8vRy0Y9qHrO8doAUJs+PUSqkhW3jk5yhplETDAndWv6cB50k7DALJ+1pRu1EspOF9u3jPNSqOtTA8b0Z+CvAPyu9Tp4gHT4z1NhI/9os13HDYtuS5PcJH6gaw==

bitcount:1024    <<< This is the default RSA keypair generated by NX-OS on initial configuration
fingerprint:
SHA256:kbo6UwxUXXxKd2l1t8saytLlFaiX/UdJu9nHw2r1eZs
**************************************
N9K# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# ssh key rsa 2048 force
N9K(config)# end
N9K# show ssh key rsa
**************************************
rsa Keys generated:Tue Jan 28 22:25:51 2020

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWavsZsk+KmGkpQaL/fpBMhRLGCGXrvsHjqwlWl9fumRMuYVjAcvWXviBKP2pdQVNkxoeCxaGjWnx4HvTOLnUf7ywKekX77AkcVT7AEPFvx9XgLM4XcYxRt/5DBECZebyPprmDzGHGJkwQ17CdnCQqZlKSvuavpVywgJ720Nc7tVUtchqJ+3b+Fb5WP4+jJo1eiZVqk9OH01lvb/ldRd+B8gO7qvbhzkiP5PKkB4pQHG8ZKInmjT7XCoW3snSMcLHcMUuQLB42BlDsZWWD/ZnJClN+sb73b8Z2IF66Mf/Ohyv8dS+qgDVgvgIYE3L6dhHZV9q5Hv4G7aaBYsVuAAw1

bitcount:2048    <<< New RSA keypair we generated, as evidenced by the changed bitcount
fingerprint:
SHA256:zFyN4+SHIKG90LceQDtAmrQnTDO3zHRYHNhyXqW3BkI
**************************************

I hope that this helps!

 

-Christopher

0 Helpful

Go to solution
NGJ
Level 1
Level 1
In response to Christopher Hart

‎01-29-2020 08:43 AM

Hi , thanks for the reply and info.  So am I correct in my understanding...

 

In IOS, to enable ssh between a laptop acting as my ssh client, and IOS switch I would use the following:

'crypto key generate rsa modulus 2048', and apply 'transport input ssh' to the vty lines, etc

 

In the NXOS world, a RSA key pair of RSA 1024 is already generated by default.  To ensure this is 2048 bit, I need to issue:

'ssh key rsa 2048 force'

 

Therefore there is no need to use the 'crypto key generate rsa modulus 2048'  to accomplish this task in NXOS, of simply accessing the switch via ssh from laptop.

 

Thanks

0 Helpful

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee
In response to NGJ

‎01-30-2020 04:42 AM

Hello!

Your explanation is correct! crypto key generate rsa modulus 2048 is not required in NX-OS in order to SSH into the device by default, which differs from traditional IOS network devices. NX-OS automatically generates a 1024-bit RSA keypair by default for its built-in SSH server - if your environment requires SSH servers to have a greater key length, then the ssh key rsa 2048 force command will replace the existing default 1024-bit RSA keypair with a new, 2048-bit RSA keypair.

I hope this helps!

 

-Christopher

Go to solution
NGJ
Level 1
Level 1
In response to Christopher Hart

‎01-30-2020 04:44 AM

Thanks for the confirmation.  Appreciated.

0 Helpful

Go to solution
izi
Level 1
Level 1
In response to Christopher Hart

‎12-04-2022 11:25 PM

Hi Chris!

Thank you for your good sharing. May I ask, does implementing the "ssh key rsa 2048 force" command will impact the switch's current running traffic/operation?  Planning to do it but worried it might impact clients' production. 

Appreciate your kind help.

 

Thank you!

0 Helpful

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee
In response to izi

‎12-06-2022 06:05 PM

Hello!

This is a very low-risk command. It does not interrupt your existing SSH session to the switch; the new SSH key is used on the next SSH session to the switch. It has an exceptionally low chance of impacting any control plane protocols as well, so I would say it's safe to execute in a production environment.

Thank you!

-Christopher

Go to solution
izi
Level 1
Level 1
In response to Christopher Hart

‎12-07-2022 07:04 PM

Alright thank you so much for your help!

Really appreciate it!

0 Helpful

Go to solution
adudek
Level 1
Level 1
In response to Christopher Hart

‎02-22-2023 09:02 AM

Is there a way to keep the RSA key static? The situation is that when I am restoring a configuration, I am currently scp'ing it to startup and reloading the nexus. On reboot, it creates a new ssh host key and that breaks my automation until I delete the known hosts.  This only happens when I restore by copying to startup... Or is there a better method to restoring the configuration on the switch like just copying the file to bootflash:startup.cfg or whatever the filename is?

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents