Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6346
Views
10
Helpful
13
Replies

Regenerate SSH Keys

Go to solution
Jim Yorke
Level 1
Level 1

‎01-06-2023 10:21 AM

Hello all,

I have a Cisco Catalyst switch that is currently in production that I need to change the hostname on.  It is currently running SSH and I need to know if I will have to regenerate the keys after the hostname is changed.  I access the switch using Termius remotely due to it being so far away from my location.  If I go ahead and change the hostname will I lose access to the switch in Termius and if I do how can I get it reconnected.  Forgive the lack of knowledge as I have assumed this position with very little information on the network and very basic training.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎01-06-2023 10:34 PM

My experience is quite different. I believe that if you change the host name this will invalidate the existing RSA keys and a new key needs to be generated. I believe, but am not sure, that existing SSH sessions will not be impacted but new sessions can not be established until the key is regenerated. To be safe I would suggest using these steps:

- I know that SSH is more secure/better than telnet, but is it possible to telnet to the switch? If so make the changes in a telnet session since telnet will not be impacted by RSA key. If telnet is not possible then use:

- create a text file with the appropriate commands to change the host name and to generate new RSA keys.

- on the switch use the copy run start command to be sure that you have a fresh copy of the config.

- on the switch use the reload in X to schedule a reload which would revert the config changes if there should be a problem with the changes.

- on the switch use copy tftp run to copy the config changes into the running config

- if you lose your SSH connection (which I do not think will happen) attempt a new SSH connection. If the new session is successful then cancel the scheduled reload. If the new session is not successful then the scheduled reload will revert the changes and you will be back where you started.

- if your original session is still active, attempt a new SSH connection to verify that the new key works. If the new SSH session is successful then cancel the scheduled reload.

HTH

Rick

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jim Yorke

‎01-09-2023 08:10 AM

You are welcome. It is good to know that going to the site and accessing via console is a possibility. I will suggest we consider that as a last resort. There are 2 things that you need to do, change the host name and generate a new RSA key. In a previous reply I gave several suggestions, use a telnet session instead of an SSH session to make the changes or put the commands into a text file and send them to the device using tftp. In either approach it would be good to start with something like "reload in 10" so that if something goes wrong in the process you would revert back to the original working config.

HTH

Rick

View solution in original post

0 Helpful
13 Replies 13

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-06-2023 11:29 AM

Technically changing the hostname will not cause any issues.

here is the steps I follow :

1. One session of SSH I connect to device and change the hostname (do not no disconnect)

2. Open another session to see if you are able to login to verify.

Note: make sure associated information needs to change rest of the devices, example: if its DNS register, or NMS...so on

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jim Yorke
Level 1
Level 1
In response to balaji.bandi

‎01-06-2023 11:49 AM

Thank you for the response.  So I will not need to regenerate the SSH keys?

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Jim Yorke

‎01-06-2023 12:02 PM

Not that i am aware of  - until you have any association with a domain like hostname. domain.com

check any association :

show crypto key mypubkey rsa

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jim Yorke
Level 1
Level 1
In response to balaji.bandi

‎01-06-2023 12:10 PM

This is what it shows:

Key name: TP-self-signed-327XXXXXXX
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.

Key pair was generated at: 19:15:34 UTC Jan 6 2023
Key name: TP-self-signed-327XXXXXXX.server
Temporary key
Usage: Encryption Key
Key is not exportable.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Jim Yorke

‎01-06-2023 01:48 PM

ok you are good to go and change the hostname - I do not see any issue here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎01-06-2023 10:34 PM

My experience is quite different. I believe that if you change the host name this will invalidate the existing RSA keys and a new key needs to be generated. I believe, but am not sure, that existing SSH sessions will not be impacted but new sessions can not be established until the key is regenerated. To be safe I would suggest using these steps:

- I know that SSH is more secure/better than telnet, but is it possible to telnet to the switch? If so make the changes in a telnet session since telnet will not be impacted by RSA key. If telnet is not possible then use:

- create a text file with the appropriate commands to change the host name and to generate new RSA keys.

- on the switch use the copy run start command to be sure that you have a fresh copy of the config.

- on the switch use the reload in X to schedule a reload which would revert the config changes if there should be a problem with the changes.

- on the switch use copy tftp run to copy the config changes into the running config

- if you lose your SSH connection (which I do not think will happen) attempt a new SSH connection. If the new session is successful then cancel the scheduled reload. If the new session is not successful then the scheduled reload will revert the changes and you will be back where you started.

- if your original session is still active, attempt a new SSH connection to verify that the new key works. If the new SSH session is successful then cancel the scheduled reload.

HTH

Rick

Go to solution
MHM Cisco World
VIP
VIP
In response to Richard Burts

‎01-07-2023 02:15 AM - edited ‎01-07-2023 03:11 AM

I run small lab 
config ssh use username admin password admin and hostname keep default R1
I can access to router via SSH 
then change the hostname to be MHM 
and you can see even without re-gernate key I can access router via ssh.

hope this lab help you.
if you have Q please share here

 

Screenshot (184).png

0 Helpful

Go to solution
Jim Yorke
Level 1
Level 1
In response to Richard Burts

‎01-09-2023 05:59 AM

Richard, thank you for the reply.  If I go ahead and change the host name and ssh no longer works, what is the process to regenerate the keys and restore ssh access?  If I need to I can travel to the site and console into the switch if needed to regenerate the keys.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jim Yorke

‎01-09-2023 08:10 AM

You are welcome. It is good to know that going to the site and accessing via console is a possibility. I will suggest we consider that as a last resort. There are 2 things that you need to do, change the host name and generate a new RSA key. In a previous reply I gave several suggestions, use a telnet session instead of an SSH session to make the changes or put the commands into a text file and send them to the device using tftp. In either approach it would be good to start with something like "reload in 10" so that if something goes wrong in the process you would revert back to the original working config.

HTH

Rick
0 Helpful

Go to solution
Jim Yorke
Level 1
Level 1

‎01-09-2023 05:22 AM

So if I change the hostname of the switch and would lose connection to it and would have to regenerate the keys what would be the process?  I can get to the switch and console in if needed to regenerate them.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Jim Yorke

‎01-09-2023 05:37 AM

that so good if you can access via console
for my lab I change hostname and I can access via SSH without re-generate the key.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Jim Yorke

‎01-10-2023 01:17 PM

if any one can offer console access to be safe, since you are more cautious its your own call.

as we mentioned changing host name not cause any issue - i also suggest method of 2 sessions to test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎01-11-2023 09:55 PM

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents