09-22-2018 12:38 AM - edited 03-08-2019 04:13 PM
Hi Everyone,
Just started working with Cisco switches so a bit of a newbie.
I was asked to step up some IE5000 switches running OS15.2 with SSH version 2 only. Which went fine, thanks to the tutorials in the community, however once the device is power off and power back on. The SSH version resets to 1.99, which I believe is both SSHv1 and SSHv2.
Is there a way to force the switch to only use SSHv2 even after a reboot.
tldr:
- Setup SSH to run on the switch;
- Did use command: Switch(config): ip ssh version 2
- Device was set to SSHv2 which was confirmed using sh ip ssh
- copy run start
- rebooted the device
- checked the ssh version and it was SSHv1.99
Any help at all would be great.
Thanks in advance,
Aublysodon :)
09-22-2018 02:05 AM
Just did steps for you --one of my test device. hope this information help you. but make sure take precautions if you doing on production system.
CE1#show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE
CE1#config t
Enter configuration commands, one per line. End with CNTL/Z.
CE1(config)#ip domain-name bb.com
CE1(config)#username bbandi password bbandi
CE1(config)#crypto key generate rsa
The name for the keys will be: CE1.bb.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
CE1(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled
CE1(config)#ip ssh version 2
CE1(config)#line vty 0 4
CE1(config-line)#transport input none
CE1(config-line)#transport input ssh
CE1(config-line)#end
%SYS-5-CONFIG_I: Configured from console by console
CE1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): CE1.bb.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2sle25cmVMxdOs247A7x41eIGBPkZ61ZHr+zCORvh
Bdrx4uFdIL9kk+Iu2swZENJHX4E7EfUKnWSW7rYe4btPKORezOhorAojgdPACcliTlSoaG/pCGhBZCrC
knlGoRqspnL63oDi8pqGqRNt+MnSfUgaYRm6ecgt+r3H0zmlQw==
10-03-2018 03:00 PM - edited 10-03-2018 03:01 PM
Hi Balaji,
Sorry for the late reply.
Unfortunately even after following your steps, after a reload of switch the SSH version resets to version 1.99 (this includes a copy run start).
It your attempt, did you reload the system? Did it remember that you only want Version 2?
Thanks again for all your help,
Regards,
Aublysodon
10-04-2018 12:11 AM
You do not required to reload. post complete steps and logs.(your full configuration - device and IOS information)
12-04-2018 11:45 AM
Hi
Can you share a show version?
BR
Gaston
01-09-2023 03:17 PM
I have run into this issue several times on Catalyst switches and various routers. From what I have seen you have to set the SSH Version to 2 before you generate the RSA Key. Otherwise when the key is created there is a flag of some sort that identifies it as Version 1 compatible and during the boot process the switch turns on support for Version 1, forcing SSH Version 1.99. I have not seen any other fixes for this but I know this is a method that works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide