cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17334
Views
0
Helpful
17
Replies

SSHv2 - RSA Keys

zekebashi
Level 4
Level 4

Hello, 

I created a simple config file, listed below, and tried to copy and paste this config on a 2960-8Port switch. After pasting this file,  I receive as error message when I issue this command "show ip ssh SSH Disabled - version 1.99 % Please create RSA Keys to enable SSH (of at least 768 bits size) to enable SSH v2. Authentication timeout: 120 secs; Authentication retries: 3" 

I can't figure out why ssh v2 won't enable. I've tried it on several boxes/switches but I still receive the same error message. 

Any idea as why this happens. 

Thanks in advance. 

Best, ~zK 

no service pad

no service password-encryption

hostname Sales-SW-ACC2

ip domain name my.company.come

boot-start-marker

boot-end-marker

enable secret 5 xoadou435o4nadgaet!%Aou2

no aaa-new-model

ip dhcp pool 10.0.0.0

    network 10.0.0.0 255.255.255.0

    lease 0 0 10

service dhcp

spanning-tree mode past

spanning-tree pordtfast default

spanning-tree extend system-id

vlan internal allocation policy ascending

crypto key generate rsa generate-keys modulus 1024

interface GigabitEthernet0/1

interface GigabitEthernet0/2

interface GigabitEthernet0/3

interface GigabitEthernet0/4

interface GigabitEthernet0/5

interface GigabitEthernet0/6

interface vlan1

ip address 10.0.0.1 255.255.255.0

ip sea enabled reaction-alerts

ip dhcp excluded-address 10.0.0.1 10.0.0.10

line console 0

line vey 0 4

   privilege level 15

transport input telnet

line vty 5 15

no login

end

1 Accepted Solution

Accepted Solutions
17 Replies 17

Philip D'Ath
VIP Alumni
VIP Alumni
crypto key generate rsa generate-keys modulus 4096

Thanks, Philip! 

I've not tried your recommended solution yet and I was wondering if you could clarify for me why selecting this modulus would work over the the one I used. 

Much appreciated. 

~zK 

It's not the modules you got wrong.  You config says you are creating "rss" keys, which is invalid.  You need to create "rsa" keys.

And if you are going to create keys why bother doing 1024 bits when you can do 4096.

That was a typo. It's "rsa" not "rss". Thanks for catching that! We're following a company standard for now by using the 1024; nonetheless; would the modulus size cause the config to produce that error? 

No, the modulus would not create that error.  The error suggest to me that the RSA keys did not in fact get created.  Does "show ip ssh" show that a RSA key exists?

when I issue this command "show ip ssh, I receive the following output: 

"SSH Disabled - version 1.99 % Please create RSA Keys to enable SSH (of at least 768 bits size) to enable SSH v2. Authentication timeout: 120 secs; Authentication retries: 3" 

If you issue the command to create the RSA key again what does it say?

So, when executing this command "crypto key generate rsa generate-keys modulus 1024", this is the output I receive

"an error occured"\"\\\"error deploying config ssh does not seem to be enabled show ip ssh\\\r\\\\nSSH Disabled - verision 1.99\\\\r\\\\\n%Please create RSA keys to enable SSH (of at least 768 bits size) to enable SSH v2.\\\\r\\\\nAuthentication timeout: 120 secs; Authenticaiton retries: 3\\\\r\\\\Sales-SW-ACC2#\\\"\\n"an"

Either you have using a limited "K8" image, or you have a buggy version of the software on that switch.  I would recommend you upgrade the switch software to a gold star release.

Thanks for your input. I'll verify that with Cisco. 

Much appreciate. 

Best, ~zK 

I verified the IOS on the switch and it's a12.2 IPBaseK9 image. 

If I have a config file of a similar switch containing the crypto pki trustpoint TP-self-signed-.... and crypto pki certificate chain TP-self-signed-.....  statements included in the config file listed below and then I pasted these statements onto the switch, would that cause the rsa key to get rejected? 

I did a little research and found out that if I removed the rsa key by using this command " crypto key zeroize rsa" and then added the "crypto key generate rsa generate-keys modulus 1024, then that would work. Any thoughts? 


no service pad

no service password-encryption

hostname Sales-SW-ACC2

ip domain name my.company.come

boot-start-marker

boot-end-marker

enable secret 5 xoadou435o4nadgaet!%Aou2

no aaa-new-model

ip dhcp pool 10.0.0.0

    network 10.0.0.0 255.255.255.0

    lease 0 0 10

service dhcp

spanning-tree mode past

spanning-tree pordtfast default

spanning-tree extend system-id

vlan internal allocation policy ascending

crypto key generate rsa generate-keys modulus 1024

interface GigabitEthernet0/1

interface GigabitEthernet0/2

interface GigabitEthernet0/3

interface GigabitEthernet0/4

interface GigabitEthernet0/5

interface GigabitEthernet0/6

interface vlan1

ip address 10.0.0.1 255.255.255.0

ip sea enabled reaction-alerts

ip dhcp excluded-address 10.0.0.1 10.0.0.10

line console 0

line vey 0 4

   privilege level 15

transport input telnet

line vty 5 15

no login

end

Thanks, ~zK 

You should definitely not copy across the existing trustpoints.  When you create the RSA key it will create its own new trustpoints.

12.2 is pretty old.  Can you upgrade it to a modern "gold star" release?

So, should I negate both cyrpto pki statements, add this command:  crypto key zeroize rsa, and then add crypto key generate rsa general-keys modulus 1024?

I will upgrade the IOS to the gold star, as well. 

Much appreciated. 

Best, ~zK 

Correct.

Review Cisco Networking for a $25 gift card