cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
231474
Views
169
Helpful
18
Replies

Enable SSH V2

darp27609679
Level 1
Level 1

Hi, i have a switch 2960 24TC-L with c2960-lanbasek9-mz.150-1.SE.bin and SSH v1 enabled.

When i try to enable SSH v2 the swith tell me that i have to create a crypto key rsa. I generated the crypto key rsa with 1024 bits and when i try to enable the SSH v2 i receive the same message.

1 Accepted Solution

Accepted Solutions

Damian,

The current SSH session should not break during the recommended operation. However, for maximum resiliency, I would personally suggest using a different CLI access method (Console or Telnet) just to make sure the SSH session does not get corrupted. In any case, if the SSH session was closed before the SSH keys are generated anew, you would not be able to SSH into the device anymore.

Best regards,

Peter

View solution in original post

18 Replies 18

Peter Paluch
Cisco Employee
Cisco Employee

Hi Damian,

Can you please post the exact message the switch tells you when trying to enable the SSHv2? Just in case, SSH v1.99 means - strangely enough - that the switch is running both SSHv1 and SSHv2.

Best regards,

Peter

Hi, peter i load an image with the message. Thanks

Hi Damian,

Follow the below procedure in order to get enabled ssh v2 on your router.

Firstly is ssh enabled?

router#sh ip ssh
SSH Disabled - version 2.0
%Please create RSA keys to enable SSH.
Authentication timeout: 60 secs; Authentication retries: 5

In this case its not, if you got a error saying that sh ip ssh is not
recognized then you would know that ssh is not supported or possibly
that the command is different for your platform.

How to enable SSH on a Cisco 800 series

router# config term
router(config)#crypto key generate rsa usage-keys label router-key
The name for the keys will be: router-key
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

router (config)#
000047: *Mar 1 20:40:50.843 UTC: %SSH-5-ENABLED: SSH 1.99 has been enabled
router (config)#exit

According to the line above SSH has been enabled, we can confirm this
by running the sh ip ssh command again.

router#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

router#

Now setting the router up to accept ssh logins

Usually it will anyway because by default the transport is set to all

transport preferred all
transport input all

But we want to change that

Router#conf t

line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
login local
transport preferred ssh
transport input ssh
!
Write your config and test it.

Please rate the helpfull posts.

Regards,

Naidu.

Yes i have ssh enable, see the image.

Thanks

So what is the issue you are facing?

Please rate the helpfull posts.

Regards,

Naidu.

I want to update to V2.

Peter Paluch
Cisco Employee
Cisco Employee

Damian,

I apologize for not checking the screenshots you have attached. Hmm, this is an interesting issue. Perhaps you have several RSA keypairs configured, and the SSH is using some short keypair that does not allow running SSHv2.

I suggest erasing all existing RSA keypairs using the crypto key zeroize rsa as follows:

configure terminal

crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

Then try generating a new RSA keypair anew:

configure terminal

crypto key generate rsa label ssh modulus 1024

The name for the keys will be: ssh

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 3 seconds)

This alone should make sure that the SSH is able to run in SSHv2. In addition, I have given the keypair a special name that can be used to select it in diverse applications. We can make sure that SSH is using this particular RSA keypair using these commmands:

configure terminal

ip ssh rsa keypair-name ssh

Then you should be able to run SSHv2. Can you verify that? Thanks!

Best regards,

Peter

I will lost connection using SSH?

Thanks

Damian,

The current SSH session should not break during the recommended operation. However, for maximum resiliency, I would personally suggest using a different CLI access method (Console or Telnet) just to make sure the SSH session does not get corrupted. In any case, if the SSH session was closed before the SSH keys are generated anew, you would not be able to SSH into the device anymore.

Best regards,

Peter

Thanks! I remove the old rsa key and i can upgrade to ssh v2.

Just one note here that with similar model and version, I had to log out of SSH and telnet in before I could successfully complete all steps (even though there was no warning about problems in trying to complete them while doing so).  It appeared that the zeroize didn't actually work while SSH v 1 session was active.

Thanks a million, I was really stuck with this. Using your suggestion fixed everything. Now on ver 2

very helpful, thank you

Hi Peter,

 

Thank you I tried this and works for me. I when I generate RSA and enabled SSH it shows disabled but when I removed all the RSA and generate a new one it fix the issue. Thanks 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: