cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13934
Views
0
Helpful
3
Replies

ASR-1001-X - ssh invalid key length

Clément
Level 1
Level 1

Hello,

 

I am the main administrator of two ASR-1001-X that i can normaly reach by SSH once i'm connected through the VPN.

I did an update on my laptop and OpenSSH is now "OpenSSH_7.6p1 Debian-2, OpenSSL 1.0.2m 2 Nov 2017"

I can connect without any issue to one of them but the second device causing me problems...

 

On my laptop SSH tells me : ssh_dispatch_run_fatal: Connection to X.X.X.X port 22: Invalid key length

 

I tried many things like defined differents "Ciphers", "Hmac" "HostKey Algorithms" but i still have the issue. (I am able to connect to the device from others points.)

 

What is strange is that the two ASR-1001-X have exactly the same SSH configuration. Same hardware. ISO configuration (Hub & Spoke scheme with two HUB identical)

 

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 4
Minimum expected Diffie Hellman key size : 1024 bits

 

I can provide more information if necessary.

Thanks a lot in advance.

3 Replies 3

Clément
Level 1
Level 1
I also tried to change the Diffie Hellman key size to 4096 on the HUB but it's not better

cisco-poland
Level 1
Level 1

Hello!

 

Regarding this https://www.openssh.com/releasenotes.html , support of RSA keys < 1024 was deleted.

Looks like one of your router has RSA key with 1024 bits length, second has 2048 or more.

Unfortunately, there is no way to show modulus length on the IOS device, so you need to

1) connect to a "problem" router from Linux box with ssh version below 7.6

2) do the command "crypto key generate rsa modulus 2048" in configuration mode

3) connect to a "problem" router from ssh version 7.6. You will have a warning that fingerprint was changed. You can omit this by 'ssh-keygen -R' command with IP of the router as an argument.

Hello,
Thanks for your reply !
I will try this as soon as possible and let you know if my issue is solved.
Best,
Review Cisco Networking for a $25 gift card