04-01-2024 12:02 PM
I have a number of SG500-28P switches. I'm trying to migrate my server that does configuration backups of them (using SSH), but the new server doesn't support the small key sizes of the SG500.
There's nowhere in either the CLI or Web UI to set a key size, so I figured I'd try generating the key externally and then importing it.
I've tried various incantations of both ssh-keygen and puttygen to generate and import SSH keys in OpenSSH and ssh.com (SSH2) format, but all have failed with either "Key header is missing", "Wrong private key header format", or "Key fragment is not in uu-encoding format".
Has anyone been successful in getting a larger than default SSH key loaded on these devices?
04-01-2024 12:09 PM
what code running on SG500 - try upgrade to latest firmware and test it.
i am sure you following below guide :
Hope old Server working as expected for your backup.?
04-01-2024 12:19 PM
I'm not trying to import a certificate, I'm trying to import an SSH private key. The particular switch I'm testing on is running 1.3.7.18 (yes I realize I should be on a newer version, but fortunately these switches are not Internet-accessible).
04-01-2024 02:26 PM - edited 04-01-2024 02:50 PM
I did find the documentation on this:
https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf#page=989
So at least I have the format (it looks like you need to import the public key in addition to the private key), and the example in the docs works, but I haven't yet been able to generate a key myself that will import.
Here's the example from the docs:
switchxxxxxx(config)# encrypted crypto key import rsa
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: RSA Private Key
84et9C2XUfcRlpemuGINAygnLwfkKJcDM6m2OReALHScqqLhi0wMSSYNlT1IWFZP1kEVHH
Fpt1aECZi7HfGLcp1pMZwjn1+HaXBtQjPDiEtbpScXqrg6ml1/OEnwpFK2TrmUy0Iifwk8
E/mMfX3i/2rRZLkEBea5jrA6Q62gl5naRw1ZkOges+GNeibtvZYSk1jzr56LUr6fT7Xu5i
KMcU2b2NsuSD5yW8R/x0CW2elqDDz/biA2gSgd6FfnW2HV48bTC55eCKrsId2MmjbExUdz
+RQRhzjcGMBYp6HzkD66z8HmShOU+hKd7M1K9U4Sr+Pr1vyWUJlEkOgz9O6aZoIGp4tgm4
VDy/K/G/sI5nVL0+bR8LFUXUO/U5hohBcyRUFO2fHYKZrhTiPT5Rw+PHt6/+EXKG9E+TRs
lUADMltCRvs+lsB33IBdvoRDdl98YaA2htZay1TkbMqCUBdfl0+74UOqa/b+bp67wCYKe9
yen418MaYKtcHJBQmF7sUQZQGP34VPmOMyZzon68S/ZoT77cy0ihRZx9wcI1yYhJnDiYxP
dgXHYhW6kCTcTj6LrUSQuxCJ9su89ZIWNn5OwdgonLSpvfnabv2GHmmelaveL7JJ/7UcfO
61q5D4PJ67Vk2xL7PqyHXN931rseTzPuJplkSLCFZ5uqTMbWWyQEKmHDlOx35vlGou5tky
9LgIwG4d+9edctZZaggeq5cgjnsZWJgUoB4Bn4hIreyOdHDiFUPPRxkoyhGOGnJuvxC9T9
K6BF1wBTdDQS+Gu47/0/gRoD/50q4sGkzqHsRJJ53WOT0Q1bHMTMLPpwn2nXzvfGxWL/bu
QhZZSqRonG6MX1cP7KT7i4TPq2w2k3TGtNBnVYHx6OoNcaTHmg1N2s5OgRsyXD9tF++6nY
RfMN8CsV+9jQKQP7ZaGc8Ju+d72jvSwppSr032HY+IpzZ4ujkK+/X5oawZL5NnkaEQTQKX
RSL55S4O5NPOjS/pC9hg7GaVjoY2mQ7HDpSUBeTIDTlvOwC2kskA9C6aF/Axj2dXLweQd5
lxk7m0/mMNaiJsNk6y33LcuKjIxpNNjK9n9KzRPkGNMFObprfenWKteDftjQ==
---- END SSH2 PRIVATE KEY ----
---- BEGIN SSH2 PUBLIC KEY ----
Comment: RSA Public Key
AAAAB3NzaC1yc2EAAAABIwAAAIEAvRHsKry6NKMKymb+yWEp9042vupLvYVq3ngt1sB9JH
OcdK/2nw7lCQguy1mLsX8/bKMXYSk/3aBEvaoJQ82+r/nRf0y3HTy4Wp9zV0SiVC8jLD+7
7t0aHejzfUhr0FRhWWcLnvYwr+nmrYDpS6FADMC2hVA85KZRye9ifxT7otE=
---- END SSH2 PUBLIC KEY ----
04-01-2024 10:20 PM - edited 04-01-2024 10:23 PM
I've poked at this a bit more, even going so far as to import keys from other peoples' switches (as a test), and I've come to the conclusion that the switches don't support RSA key lengths longer than 1024 bits; so even if I figure out how to reproduce the key format (I've even tried with SSH.com's ssh-keygen-g3), it would be useless anyways.
I did however stumble on this article from Red Hat that apparently does allow you to drop SSH's minimum key length:
https://access.redhat.com/solutions/7062327
So I've effectively solved the issue, even if it's not really ideal.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide