Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23855
Views
33
Helpful
9
Replies

May I disable "ip http secure-server" if I have SSH configured?

Go to solution
ccnaluna93
Level 1
Level 1

‎11-29-2017 09:27 AM - edited ‎03-08-2019 12:55 PM

Hello,

 

In order to activate SSH I have configured "ip http secure-server" command to generate some kind of a crypto key or certification, then I disable that command and SSH still works, but I don´t know if SSH will work after a reload, I cannot test because it is a production router.

 

Do you know about this?

 

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎11-29-2017 12:25 PM

Hello,

 

on a side note and in addition to the other posts, I think your 'confusion' comes from the fact that enabling 'ip http secure-server' automatically generates the RSA key that is also required by SSH:

 

R4(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...

R4(config)#
*Nov 29 19:01:22.986: %SSH-5-ENABLED: SSH 1.99 has been enabled

 

The RSA key can also be generated by issuing the command:

 

crypto key generate rsa general-keys modulus 1024 (or 2048)

 

without enabling 'ip http secure-server'.

 

So, you don't need to enable 'ip http secure-server' at all to use SSH, just generate the RSA key with the 'crypto key generate' command as mentioned above.

 

Does that make sense ?

View solution in original post

9 Replies 9

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎11-29-2017 09:53 AM

Hi,

"ip http secure-server" is for HTTPs authentication to the device. It uses port 443.

SSH is a different protocol and uses port 22. There is no need to enable "ip http secure-server" if you are using SSH only.

HTH

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎11-29-2017 10:19 AM

It's as Reza notes.

(We have many Cisco devices that support SSH but have disabled http and https. They continue to do so across reloads.)
0 Helpful

Go to solution
ccnaluna93
Level 1
Level 1
In response to Reza Sharifi

‎11-29-2017 11:37 AM

But SSH doesn't work If I don't enable the "ip http secure-server"command on router.

 

This is the result of the command:

 

AUTLAN_R01(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

AUTLAN_R01(config)#

 

After using this command I can get into the router by ssh, and I can enable SSH version 2.

 

 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ccnaluna93

‎11-29-2017 11:52 AM - edited ‎11-29-2017 11:53 AM

Hello

 

@ccnaluna93 wrote:

But SSH doesn't work If I don't enable the "ip http secure-server"command on router.

 

After using this command I can get into the router by ssh, and I can enable SSH version 2.

 

 

You mean it doesn't work for https access? - as others have stated you shouldnt need to have ip http secure-server enabled.

 

What is required :|

ip domain-name xxxx
crypto key generate rsa general-keys modulus 1024/2048

 

line vty 0 x
transport input ssh

 

res
Paul

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to ccnaluna93

‎11-29-2017 12:01 PM

Ok, if you are trying to access it for the first time, you can use https to gain access to the switch and then enable ssh and turn off https. You can also use telnet and then once the SSH is enabled, you can disable telnet.

HTH

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to ccnaluna93

‎11-29-2017 02:07 PM

Some time ago I wrote a little guide on how to setup SSH in a more secure fashion. All you need is included and there are no needs to also enable HTTPS:

https://supportforums.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎11-29-2017 12:25 PM

Hello,

 

on a side note and in addition to the other posts, I think your 'confusion' comes from the fact that enabling 'ip http secure-server' automatically generates the RSA key that is also required by SSH:

 

R4(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...

R4(config)#
*Nov 29 19:01:22.986: %SSH-5-ENABLED: SSH 1.99 has been enabled

 

The RSA key can also be generated by issuing the command:

 

crypto key generate rsa general-keys modulus 1024 (or 2048)

 

without enabling 'ip http secure-server'.

 

So, you don't need to enable 'ip http secure-server' at all to use SSH, just generate the RSA key with the 'crypto key generate' command as mentioned above.

 

Does that make sense ?

Go to solution
ccnaluna93
Level 1
Level 1
In response to Georg Pauwen

‎11-29-2017 02:13 PM - edited ‎11-29-2017 02:14 PM

Thanks all! 

 

So I can disable HTTPs once the command has created the RSA key, right?

 

Customers Also Viewed These Support Documents