Re: RSA key on switch

jkay18041 · ‎08-31-2018

We recently took over a network switch for one of our properties that was managed by a vendor since it was riddled with security holes. The RSA key is 768 bit, if I wanted to make it 2048 or 4096 could I just run the crypto key generate rsa command and have it recreate the key? I am not on site and do not have access to it via the console port so if this will kill ssh I can't do this. If it kills the current session but I can just start a new one with the new key right away that is fine.

Thank you

omz · ‎08-31-2018

Hi

Your session should not get disconnect if you create a new SSH key with a different bit size. It may take a few minutes 93-5min) generating the key if you choose 4096. But the session should not drop.

While the key generation is in the process, any new sessions will be refused.

R1#ssh -l cisco 1.1.1.1
Password: 
R2#
R2#
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#cry key gen rsa
The name for the keys will be: R2.cisco.com
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 16 seconds)

R2(config)#
R2(config)#

HTH

balaji.bandi · ‎08-31-2018

what is the device model ? and what is IOS version running ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎09-01-2018

This is a good response which shows clearly that generating a new RSA key does not impact the existing SSH session. It clearly addresses the concern expressed in the original post. +5 for this.

HTH

Rick

HTH

Rick