Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
1
Helpful
3
Replies

SSH to ISR Requires Key Size of 1024?

Go to solution
Matthew Martin
Level 5
Level 5

‎12-18-2024 01:14 PM

Hello All,

A few months back I noticed my WSL Linux was requiring me to add this "ssh -o RequiredRSASize=1024 user@ipaddr" to some hosts that I ssh to, this included a few servers and some Cisco gear.

I'm guessing my WSL had some update or openssh was updated, or something along those lines increasing the default minimum key size...

I have two ISR-4451X's and one of them is requiring me to include that option and the other is not. I'm guessing I need to generate a new rsa key on the one 4451X.

These ISRs are where some of our ISP connections are plugged in so I wanted to be sure I got this right... Could someone tell me what commands are needed to do this? And if it would require any reboot, or would cause any disruption in traffic?

 

 

!!! Box needing the extra cmd line option while ssh'ing:
4451X-HQ1#show run all | inc rsa
ip ssh server algorithm hostkey x509v3-ssh-rsa rsa-sha2-512 rsa-sha2-256 ssh-rsa
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 rsa-sha2-256 rsa-sha2-512

!!! Box working normally:
4451X-HQ2#show run all | inc rsa
 rsakeypair TP-self-signed-3313371257
ip ssh server algorithm hostkey x509v3-ssh-rsa rsa-sha2-512 rsa-sha2-256 ssh-rsa
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 rsa-sha2-256 rsa-sha2-512

 

And on my ssh_config in WSL I have the following. I think at some point I tried adding ciphers in order to not need that extra CLI option. But didn't work:

 

# cat /etc/ssh/ssh_config | grep Ciphers
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

 

Thanks in Advance,
Matt

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-18-2024 01:21 PM

@Matthew Martin try to zerorise the current key and create a new RSA key.

crypto key generate rsa modulus 3072 label SSH_KEY
ip ssh rsa keypair-name SSH_KEY

Once done, run "show ip ssh" and this will confirm that "SSH_KEY"

More information - https://integrate.uk.com/securing-ios-xe-ssh/

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎12-18-2024 01:19 PM - edited ‎12-18-2024 01:25 PM

you need to generate key in both SW

show crypto key mypubkey rsa <<- use this command to check if key is add

TP-self key <<- this key for smart license it not relate to ssh  

MHM

Go to solution
Rob Ingram
VIP
VIP

‎12-18-2024 01:21 PM

@Matthew Martin try to zerorise the current key and create a new RSA key.

crypto key generate rsa modulus 3072 label SSH_KEY
ip ssh rsa keypair-name SSH_KEY

Once done, run "show ip ssh" and this will confirm that "SSH_KEY"

More information - https://integrate.uk.com/securing-ios-xe-ssh/

 

0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5

‎12-18-2024 02:57 PM

Thanks Rob!

Got the new key generated and assigned to ssh. All is well now!

4451X-HQ1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
...............
cut.............
...............
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): SSH_KEY
ssh-rsa AAA3...........................

Thanks Again,
Matt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card