Import SSH Key on SG500-28P

gary.t.giesen · ‎04-01-2024

I have a number of SG500-28P switches. I'm trying to migrate my server that does configuration backups of them (using SSH), but the new server doesn't support the small key sizes of the SG500.

There's nowhere in either the CLI or Web UI to set a key size, so I figured I'd try generating the key externally and then importing it.

I've tried various incantations of both ssh-keygen and puttygen to generate and import SSH keys in OpenSSH and ssh.com (SSH2) format, but all have failed with either "Key header is missing", "Wrong private key header format", or "Key fragment is not in uu-encoding format".

Has anyone been successful in getting a larger than default SSH key loaded on these devices?

balaji.bandi · ‎04-01-2024

what code running on SG500 - try upgrade to latest firmware and test it.

i am sure you following below guide :

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-550x-series-stackable-managed-switches/KMGMT-1527-How-to-import-certificate-on-350-and-550-series-switches.html

Hope old Server working as expected for your backup.?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gary.t.giesen · ‎04-01-2024

I'm not trying to import a certificate, I'm trying to import an SSH private key. The particular switch I'm testing on is running 1.3.7.18 (yes I realize I should be on a newer version, but fortunately these switches are not Internet-accessible).

gary.t.giesen · ‎04-01-2024

I did find the documentation on this:

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf#page=989

So at least I have the format (it looks like you need to import the public key in addition to the private key), and the example in the docs works, but I haven't yet been able to generate a key myself that will import.

Here's the example from the docs:

switchxxxxxx(config)# encrypted crypto key import rsa
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: RSA Private Key
84et9C2XUfcRlpemuGINAygnLwfkKJcDM6m2OReALHScqqLhi0wMSSYNlT1IWFZP1kEVHH
Fpt1aECZi7HfGLcp1pMZwjn1+HaXBtQjPDiEtbpScXqrg6ml1/OEnwpFK2TrmUy0Iifwk8
E/mMfX3i/2rRZLkEBea5jrA6Q62gl5naRw1ZkOges+GNeibtvZYSk1jzr56LUr6fT7Xu5i
KMcU2b2NsuSD5yW8R/x0CW2elqDDz/biA2gSgd6FfnW2HV48bTC55eCKrsId2MmjbExUdz
+RQRhzjcGMBYp6HzkD66z8HmShOU+hKd7M1K9U4Sr+Pr1vyWUJlEkOgz9O6aZoIGp4tgm4
VDy/K/G/sI5nVL0+bR8LFUXUO/U5hohBcyRUFO2fHYKZrhTiPT5Rw+PHt6/+EXKG9E+TRs
lUADMltCRvs+lsB33IBdvoRDdl98YaA2htZay1TkbMqCUBdfl0+74UOqa/b+bp67wCYKe9
yen418MaYKtcHJBQmF7sUQZQGP34VPmOMyZzon68S/ZoT77cy0ihRZx9wcI1yYhJnDiYxP
dgXHYhW6kCTcTj6LrUSQuxCJ9su89ZIWNn5OwdgonLSpvfnabv2GHmmelaveL7JJ/7UcfO
61q5D4PJ67Vk2xL7PqyHXN931rseTzPuJplkSLCFZ5uqTMbWWyQEKmHDlOx35vlGou5tky
9LgIwG4d+9edctZZaggeq5cgjnsZWJgUoB4Bn4hIreyOdHDiFUPPRxkoyhGOGnJuvxC9T9
K6BF1wBTdDQS+Gu47/0/gRoD/50q4sGkzqHsRJJ53WOT0Q1bHMTMLPpwn2nXzvfGxWL/bu
QhZZSqRonG6MX1cP7KT7i4TPq2w2k3TGtNBnVYHx6OoNcaTHmg1N2s5OgRsyXD9tF++6nY
RfMN8CsV+9jQKQP7ZaGc8Ju+d72jvSwppSr032HY+IpzZ4ujkK+/X5oawZL5NnkaEQTQKX
RSL55S4O5NPOjS/pC9hg7GaVjoY2mQ7HDpSUBeTIDTlvOwC2kskA9C6aF/Axj2dXLweQd5
lxk7m0/mMNaiJsNk6y33LcuKjIxpNNjK9n9KzRPkGNMFObprfenWKteDftjQ==
---- END SSH2 PRIVATE KEY ----
---- BEGIN SSH2 PUBLIC KEY ----
Comment: RSA Public Key
AAAAB3NzaC1yc2EAAAABIwAAAIEAvRHsKry6NKMKymb+yWEp9042vupLvYVq3ngt1sB9JH
OcdK/2nw7lCQguy1mLsX8/bKMXYSk/3aBEvaoJQ82+r/nRf0y3HTy4Wp9zV0SiVC8jLD+7
7t0aHejzfUhr0FRhWWcLnvYwr+nmrYDpS6FADMC2hVA85KZRye9ifxT7otE=
---- END SSH2 PUBLIC KEY ----

gary.t.giesen · ‎04-01-2024

I've poked at this a bit more, even going so far as to import keys from other peoples' switches (as a test), and I've come to the conclusion that the switches don't support RSA key lengths longer than 1024 bits; so even if I figure out how to reproduce the key format (I've even tried with SSH.com's ssh-keygen-g3), it would be useless anyways.

I did however stumble on this article from Red Hat that apparently does allow you to drop SSH's minimum key length:

https://access.redhat.com/solutions/7062327

So I've effectively solved the issue, even if it's not really ideal.