09-10-2013 08:54 AM - edited 03-07-2019 03:23 PM
Hi
I have a 3560 running 12.2(25)SEE3 which has a 768 bit key. We need to replace that key with a 1024 bit key.
After I create the new key, it appears that the switch does not use it. Looging in with putty and looking at the (putty) log, I see the following:
2013-09-10 11:47:25 Host key fingerprint is:
2013-09-10 11:47:25 ssh-rsa 768 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
2013-09-10 11:47:25 Initialised AES-256 CBC client->server encryption
2013-09-10 11:47:25 Initialised HMAC-SHA1 client->server MAC algorithm
This is after I zerosized the key and then recreated it.
Thoughts
Thanks
-Doug
09-10-2013 10:10 AM
Did you recreate using "crypto key generate rsa"?
You don't perhaps have a different heypair hardcoded do you? (e.g. "ip ssh keypair-name ___")
09-10-2013 10:16 AM
router#crypto key zeroize rsa
then
router#crypto key gen rsa gen mod 1024
It seemingly generates the key as it should, but does not seem to be using it for ssh connections.
router#sh run | i ssh
ip ssh version 2
transport input ssh
transport input ssh
I don't think I am able to set a specific keypair for ssh.
Thanks
09-10-2013 10:36 AM
Hmmm.
If you try to ssh in anew after doing the zeroize but before regenerating is the connection accepted?
You do have an "ip domain-name" configured right? "crypto key gen rsa" should require it but I shouldn't assume...
09-10-2013 10:58 AM
Once I zerosize the "old" key out and before I create a new one, i am still able to ssh into the switch.
I do have an ip domain-name configured.
Wish I could reload with the new key and see if that resolves it.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: