cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1469
Views
5
Helpful
5
Replies

Auto Save SSH on Cisco 3750

flexkikr11
Level 1
Level 1

I purchased a used cisco 3750 switch. I can set it up with no issue. When I do a show run, I can see that a crypto pki trustpoint and certificate was added. I can try removing it, but it will just add itself back in after a reload. After some searches, I believe that this self-signed cert is coming from the private-config.text file. If I delete it, it will just come back after a reload. I cannot copy it to tftp either (permission denied). I wanted to back it up and see if I can edit or at least look at it.

I have tried to wipe out the switch by holding down the mode button. It will clear the switch and rename the config files in flash. The crypto lines are gone until I decide to make some config changes and do a reload. The crypto lines come back and the private-config.text file comes back again. Another file also comes back in flash; the multiple-fs file. I believe that this is just to access the switch via SDM. Any suggestions? Thank you.

Switch>
Switch>
Switch>en
Switch#sh run
Building configuration...

Current configuration : 2988 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c3750-24p
system mtu routing 1500
!
!
!
!         
crypto pki trustpoint TP-self-signed-2447457024
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2447457024
 revocation-check none
 rsakeypair TP-self-signed-2447457024
!
!
crypto pki certificate chain TP-self-signed-2447457024
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343437 34353730 3234301E 170D3933 30333031 30303031
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34343734
  35373032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A89D A03DD931 36F3DE9D 8202F6E6 8478B379 C0C2E515 C22F3144 527AFD1F
  BA9B2F8C 515E6F4B 1B3A3C7D 78C3B9D0 42CAF875 A1EFCDFD FD7F2F44 8BE139D7
  AB334BDC F36F8CDD 197A75B3 0DC13E57 7B067BDD 54F7BB80 2CED64E9 3B789A41
  88578B71 F6D3A57E 114D16AC 547F0155 750C9DB7 2B1650F9 464A0FEC 3C7EB1BC
  0AB50203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
  551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 14A9ACD4
  3880D7F1 4971E716 EF174562 20523555 4A301D06 03551D0E 04160414 A9ACD438
  80D7F149 71E716EF 17456220 5235554A 300D0609 2A864886 F70D0101 04050003
  81810063 7AC772F1 E4B56558 DFD44ADA 95CF060B 97BBBBF8 B4DC3469 3F4B284F
  D505830D 0CBC25F8 2B9D042B 8CFA2419 2D96D701 3647B6F8 AEAD555C 759B499E
  B0346E86 93154397 86E03B5B 254C6D55 7BF86B31 7DB50591 986A105A 28B0DAE7
  C705BFDC 7EE2863C 350E994D F3605232 BC7894D2 591879C5 3518E2E7 A2B68296 0D2BAD
  quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!         
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

Switch#sh ver
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Mon 03-Mar-14 22:44 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02D00000

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

Switch uptime is 18 minutes
System returned to ROM by power-on
System image file is "flash:/c3750-ipbasek9-mz.122-55.SE9.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750-24P (PowerPC405) processor (revision R0) with 131072K bytes of memory.
Processor board ID FDO1230Z1RK
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:22:91:E1:3B:00
Motherboard assembly number     : 73-9672-10
Power supply part number        : 341-0029-05
Motherboard serial number       : FDO12300FKF
Power supply serial number      : LIT12260J96
Model revision number           : R0
Motherboard revision number     : A0
Model number                    : WS-C3750-24PS-S
System serial number            : FDO1230Z1RK
Top Assembly Part Number        : 800-25860-05
Top Assembly Revision Number    : A0
Version ID                      : V06
CLEI Code Number                : COMU410ARA
Hardware Board Revision Number  : 0x01


Switch Ports Model              SW Version            SW Image                 
------ ----- -----              ----------            ----------               
*    1 26    WS-C3750-24P       12.2(55)SE9           C3750-IPBASEK9-M         


Configuration register is 0xF

Switch#

1 Accepted Solution

Accepted Solutions

ghostinthenet
Level 7
Level 7

This doesn't actually have anything to do with SSH, which only needs RSA keys rather than certificates. It's all generated because you have "ip http secure-server" in your configuration, which does need a certificate and will auto-generate one on boot if it doesn't have one. If you want it gone, just do a "no ip http secure-server" in your configuration, remove the certificate and trustpoint, zeroize the RSA key, save and reload. That should clear everything up.

View solution in original post

5 Replies 5

ghostinthenet
Level 7
Level 7

This doesn't actually have anything to do with SSH, which only needs RSA keys rather than certificates. It's all generated because you have "ip http secure-server" in your configuration, which does need a certificate and will auto-generate one on boot if it doesn't have one. If you want it gone, just do a "no ip http secure-server" in your configuration, remove the certificate and trustpoint, zeroize the RSA key, save and reload. That should clear everything up.

Hi Jody thanks for the reply. How come even formatting the flash or the whole thing from the switch: rommon then reloading a different iOS via xModem then as soon as I slap a config to the switch and reload it, the crypto commands are back. I can delete the trustpoint, but when I try to delete the certificate chain, it says I have to delete the trustpoint (that I just deleted). A show run will will bring up the config without the crypto information, but when I copy changes to the startup-config and reload...they are back. Ugg!

Your "ip http secure-server" command in the configuration is causing the certificate to regenerate on boot. Take that out and the behaviour should stop.

Thanks so much Jodie! I really appreciate your help here!

I went on reformatting the whole thing on switch:rommon and then recovered ios via xModem took bloody almost 4 hours and then as soon as I slap a config to the switch and reload it, the crypto commands are back. I can delete the trustpoint, but when I try to delete the certificate chain, it says I have to delete the trustpoint (that I just deleted). A show run will will bring up the config without the crypto information, but when I copy changes to the startup-config and reload...they are back. Ugg!

Review Cisco Networking for a $25 gift card