Key size cannot be changed in switch 3850/16.9

Leftz · ‎08-12-2022

Hi After changing key size to 2048 with below two commands, why it is still 1024? Thank you!

crypto key generate rsa modulus 2048

ip ssh dh min size 2048

#do sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes256-ctr,aes192-ctr,aes128-ctr
MAC Algorithms:hmac-sha1
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 60 secs; Authentication retries: 5
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-506
Modulus Size : 1024 bits

balaji.bandi · ‎08-12-2022

Minimum expected Diffie Hellman key size : 2048 bits - ? what is the issue ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz · ‎08-12-2022

Thanks for your reply. the issue is the two command cannot work. after adding the two commands to change key size, the key size does not change.

balaji.bandi · ‎08-13-2022

i can see 2048 DH, what i am missing here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎08-14-2022

When you create a new RSA key (could even be 4096-bits) give it a name and then make sure that key name is bound to the ssh service. Here are a couple of guides for doing so with detailed examples:

https://community.cisco.com/t5/security-knowledge-base/guide-to-better-ssh-security/ta-p/3133344

https://community.cisco.com/t5/networking-knowledge-base/configuring-ios-xe-for-strong-security-ssh-sessions/ta-p/4556490