Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
195
Views
3
Helpful
4
Replies

Change SSH Key in Cisco Nexus Switch

Go to solution
johnlloyd_13
Level 9
Level 9

‎09-18-2025 03:13 AM - edited ‎09-18-2025 03:16 AM

hi,

our cisco nexus switch got flagged for using a "weak" SSH key.

previous admin probably forgot to generate the "proper" SSH/RSA 2048 bit key.

can i do this remotely change this on the fly? meaning, i generate a new SSH/RSA 2048 bit key without losing my SSH session?

or do i temporarily enable "feature telnet", telnet to nexus switch, generate SSH 2048 bit key, then disable telnet?

SW# sh ssh server
ssh version 2 is enabled

SW# sh ssh key
**************************************
rsa Keys generated:Thu Apr 7 05:12:15 2005

ssh-rsa AAAAB3NzaCxxx

bitcount:1024
fingerprint:

SW(config)# crypto key generate rsa label Switch modulus ?
<512-2048> Key-pair size

(config)# feature t?
tacacs+ Enable/Disable tacacs+
telnet Enable/Disable telnet

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎09-18-2025 11:15 PM

Hello @johnlloyd_13 

You can generate a new RSA key on your nexus remotely over SSH without dropping your current session. The change only affect new conection; the existing session stays active.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-18-2025 03:26 AM

i suggest to do this command in the Lan or come console. (to be safe side)

most case that should work remotely, (enable telnet or any other method to connect ) while changing.

some time we cutting our own branch..

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎09-18-2025 03:35 AM

I do this remotely with Catalyst switches.  Never tried with Nexus but the situation should be the same as Catalyst switches and routers.

Go to solution
pieterh
VIP
VIP

‎09-18-2025 01:35 PM - edited ‎09-18-2025 01:44 PM

isn't the key used for initiating the SSH session?
after the key exchange and subsequesnt phase are complete and the  session is established it will remain active and you can
- generate a new key
- test the key by initiating a second session keeping the current session active to make corrections if needed.

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/222335-understand-secure-shell-packet-exchange.html 

Go to solution
M02@rt37
VIP
VIP

‎09-18-2025 11:15 PM

Hello @johnlloyd_13 

You can generate a new RSA key on your nexus remotely over SSH without dropping your current session. The change only affect new conection; the existing session stays active.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Customers Also Viewed These Support Documents