3560 not using new crypto key

Doug Engel · ‎09-10-2013

Hi

I have a 3560 running 12.2(25)SEE3 which has a 768 bit key. We need to replace that key with a 1024 bit key.

After I create the new key, it appears that the switch does not use it. Looging in with putty and looking at the (putty) log, I see the following:

2013-09-10 11:47:25 Host key fingerprint is:

2013-09-10 11:47:25 ssh-rsa 768 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

2013-09-10 11:47:25 Initialised AES-256 CBC client->server encryption

2013-09-10 11:47:25 Initialised HMAC-SHA1 client->server MAC algorithm

This is after I zerosized the key and then recreated it.

Thoughts

Thanks

-Doug

Marvin Rhoads · ‎09-10-2013

Did you recreate using "crypto key generate rsa"?

You don't perhaps have a different heypair hardcoded do you? (e.g. "ip ssh keypair-name ___")

Doug Engel · ‎09-10-2013

router#crypto key zeroize rsa

then

router#crypto key gen rsa gen mod 1024

It seemingly generates the key as it should, but does not seem to be using it for ssh connections.

router#sh run | i ssh

ip ssh version 2

transport input ssh

I don't think I am able to set a specific keypair for ssh.

Thanks

Marvin Rhoads · ‎09-10-2013

Hmmm.

If you try to ssh in anew after doing the zeroize but before regenerating is the connection accepted?

You do have an "ip domain-name" configured right? "crypto key gen rsa" should require it but I shouldn't assume...

Doug Engel · ‎09-10-2013

Once I zerosize the "old" key out and before I create a new one, i am still able to ssh into the switch.

I do have an ip domain-name configured.

Wish I could reload with the new key and see if that resolves it.

Thanks