cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1192
Views
0
Helpful
4
Replies

3560 not using new crypto key

Doug Engel
Level 1
Level 1

Hi

I have a 3560 running 12.2(25)SEE3 which has a 768 bit key.  We need to replace that key with a 1024 bit key. 

After I create the new key, it appears that the switch does not use it.  Looging in with putty and looking at the (putty) log, I see the following:

2013-09-10 11:47:25    Host key fingerprint is:

2013-09-10 11:47:25    ssh-rsa 768 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

2013-09-10 11:47:25    Initialised AES-256 CBC client->server encryption

2013-09-10 11:47:25    Initialised HMAC-SHA1 client->server MAC algorithm

This is after I zerosized the key and then recreated it.

Thoughts

Thanks

-Doug

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Did you recreate using "crypto key generate rsa"?

You don't perhaps have a different heypair hardcoded do you? (e.g. "ip ssh keypair-name ___")

router#crypto key zeroize rsa

then

router#crypto key gen rsa gen mod 1024

It seemingly generates the key as it should, but does not seem to be using it for ssh connections.

router#sh run | i ssh

ip ssh version 2

transport input ssh

transport input ssh

I don't think I am able to set a specific keypair for ssh.

Thanks

Hmmm.

If you try to ssh in anew after doing the zeroize but before regenerating is the connection accepted?

You do have an "ip domain-name" configured right? "crypto key gen rsa" should require it but I shouldn't assume...

Once I zerosize the "old" key out and before I create a new one, i am still able to ssh into the switch.

I do have an ip domain-name configured.

Wish I could reload with the new key and see if that resolves it.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco