11-24-2017 06:01 AM - edited 03-08-2019 12:52 PM
Hello,
I am the main administrator of two ASR-1001-X that i can normaly reach by SSH once i'm connected through the VPN.
I did an update on my laptop and OpenSSH is now "OpenSSH_7.6p1 Debian-2, OpenSSL 1.0.2m 2 Nov 2017"
I can connect without any issue to one of them but the second device causing me problems...
On my laptop SSH tells me : ssh_dispatch_run_fatal: Connection to X.X.X.X port 22: Invalid key length
I tried many things like defined differents "Ciphers", "Hmac" "HostKey Algorithms" but i still have the issue. (I am able to connect to the device from others points.)
What is strange is that the two ASR-1001-X have exactly the same SSH configuration. Same hardware. ISO configuration (Hub & Spoke scheme with two HUB identical)
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 4
Minimum expected Diffie Hellman key size : 1024 bits
I can provide more information if necessary.
Thanks a lot in advance.
11-24-2017 06:03 AM
12-20-2017 05:45 AM
Hello!
Regarding this https://www.openssh.com/releasenotes.html , support of RSA keys < 1024 was deleted.
Looks like one of your router has RSA key with 1024 bits length, second has 2048 or more.
Unfortunately, there is no way to show modulus length on the IOS device, so you need to
1) connect to a "problem" router from Linux box with ssh version below 7.6
2) do the command "crypto key generate rsa modulus 2048" in configuration mode
3) connect to a "problem" router from ssh version 7.6. You will have a warning that fingerprint was changed. You can omit this by 'ssh-keygen -R' command with IP of the router as an argument.
01-22-2018 06:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide