Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
0
Helpful
7
Replies

SSH will not enable on ISR4431

zstamm
Level 1
Level 1

‎08-02-2018 01:02 PM

I am working on a ISR4431 that is running Cisco IOS XE Software, Version 16.03.06.  For some reason, SSH version 2 will not activate on it. 

 

I get an error message stating that I need to generate keys greater than 768 bytes for SSH version 2 to work.  I have generated keys that are 4096 bytes in length.  There are definitely keys in the key store, but for some reason they are not used.  Am I not generating the correct type of key?  What is the command looking for? 

 

# show crypto key mypubkey all

% Key pair was generated at: 23:51:41 EST May 11 2018
Key name: CISCO_IDEVID_SUDI
Key type: RSA KEYS
On Cryptographic Device: act2 (label=act2, key index=24)
Usage: General Purpose Key
Key is not exportable.
Key Data:
<REMOVED>
% Key pair was generated at: 13:54:26 EST Aug 2 2018
Key name: XXXXXXXXXXXXXXXXX.XXXX.org
Key type: RSA KEYS
Storage Device: not specified
Usage: Encryption Key
Key is not exportable. Redundancy enabled.
Key Data:
<REMOVED>
% Key pair was generated at: 13:56:34 EST Aug 2 2018
Key name: XXXXXXXXXXXXXXXXX.XXXX.org.server
Key type: RSA KEYS
Storage Device: not specified
Usage: Encryption Key
Key is not exportable. Redundancy enabled.
Key Data:
<REMOVED>

 

 

 

 

 

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎08-02-2018 01:13 PM

Hi,
Try "crypto key zeroize rsa" then recreate the key pair.

This works for me:-
ip ssh version 2
ip domain-name DOMAIN.NAME
crypto key generate rsa modulus 2048

Optional:-
ip ssh client algorithm encryption aes256-ctr aes192-ctr aes12-ctr
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes12-ctr
ip ssh server algorithm mac hmac-sha1
ip ssh dh min size 2048

HTH
0 Helpful

zstamm
Level 1
Level 1
In response to Rob Ingram

‎08-02-2018 01:30 PM - edited ‎08-02-2018 01:33 PM

I tried zeroizing the RSA keys several times.  I get the same error.  It acts like the keys are not there.

 

I haven't tried the optional configurations that you posted.  Does that just change the hash algorithm?

0 Helpful

Rob Ingram
VIP
VIP
In response to zstamm

‎08-02-2018 01:39 PM

What is the actually error you get? At what point do you get this error, when you input the command or when you attempt to connect?

Yeah, those commands are optional, just defining the algorithms to use.
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎08-02-2018 03:08 PM

cryp key generate rsa general-keys modulus 2048

0 Helpful

Karsten Iwen
VIP
VIP

‎08-03-2018 12:57 AM

I assume (it's hard to tell with this limited information) that you configured the key with a label, but did not specify that label when configuring SSH. Follow these steps closely and it really should work:

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

 

0 Helpful

zstamm
Level 1
Level 1
In response to Karsten Iwen

‎08-03-2018 06:18 AM

I just noticed that the command "ip ssh rsa keypair-name <SSH-KEY Label>" isn't in most documentation or training materials. Is this a new step on this firmware or platform?
0 Helpful

Karsten Iwen
VIP
VIP
In response to zstamm

‎08-03-2018 08:49 AM

This command was introduced in 12.3(4)T, that's really long ago. And yes, it seems that many course designers are not aware of this. Still, I would consider this configuration a best practice.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents