cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10891
Views
5
Helpful
10
Replies

Enabling ssh with a startup config or similar?

markus.forrer
Level 4
Level 4

Hello,

Im am currently testing the new features of IOS 12.2 55 SE1 called "Smart Install".


I got it working even though it still has many issues but that's probably because it is a very new functionality.

Anyways, we are using it currently in a lab-environment to test the "zero-touch" replacement of defective Switches. In that case the Director of the SI Network knows what config the defective Switch has saved last.

It then uses that exact config to deploy to the replaced switch as a startup config.

For Security Reasons we have the command "transport input ssh" on all lines enabled. (Makes sense if you want to shut out telnet).

Now, when the new Switch receives the IOS Update (which is also delievered in Smart Install) and therefore reboots, it now uses our startup config.

With the above mentioned command "transport input ssh" on the lines, we have no way of connecting to the newly replaced switch.

"Crypto keys cannot be generated on startup" is the message I see on the Serial-Console output.


Has anyone got an idea how we could work around this?

Is there a way to tell a switch he has to generate an rsa certificate to enable ssh without "touching" it?

I know that with the command "transport input all" this issue would not be an issue, but that is not an option for a possible productive Release. Since we are using a config of a switch that was running productively, the running config cannot allow telnet to be used..

I have asked Google, used this forum's search functionality and found nothing. I am absolutely sure though, that this is an issue many Cisco Users have to work with, so I was suprised not to find anything.

Details of our lab:

Director Switch: C3560 with IOS 12.2 55 SE1

Client Switch (to be replaced): C2960 IOS 12.2 55 SE1

Both have the crypto-image installed.

1 Accepted Solution

Accepted Solutions

Markus

I am not familiar with the Smart Install and so parts of my response may or may not be on target. My apologies if I am off target here.

How does Smart Install get the startup config to the replacement switch? If you can specify the config to use (and your post implies that you can) then how does Smart Install get that particular config to the switch? Assuming that you can edit the production version of the saved startup config, then I would think that you could insert the crypto key generate command at the bottom of the startup config to be sent to the switch. If the startup config has already set the host name and set the domain name, then I would think that it would accept and execute the crypto key generate command. Note that if your config specifies any SSH parameters (version or anything else) then those commands need to be moved to the bottom of the startup config being sent to the replacement switch so that they execute after the crypto keys are generated.

HTH

Rick

HTH

Rick

View solution in original post

10 Replies 10

andamani
Cisco Employee
Cisco Employee

Hi,

Try generating a new crypto key pair.

The following link gives you details of the ssh configuration:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Hi,

Thanks for the response. I think you didn't exactly get what I am trying to do. I know how to configure ssh on Cisco Devices manually.

All our Cisco Aironet Devices (Access Points) are capable of generating the crypto certificates at boot-time without prior executing any command except enabling ssh (ip ssh version 2) and putting them on the lines (transport input ssh).

Since we are doing the same thing by giving the switch the last known configuration of his antecessor as a startup configuration, then install the defined IOS Release and do a reboot, we are expecting the switch to be able to generate the needed crypto certificates by itself without us telling him to do so. We just couldn't find a way (yet) and hoped someone ran into this problem once before.

I'm going to look at another way, too. Maybe it is possible to send some sort of snmp pakets to make the switch do so, since snmp would also be available when the ssh daemon was not running and the lines would only permit ssh.

Markus

I am not familiar with the Smart Install and so parts of my response may or may not be on target. My apologies if I am off target here.

How does Smart Install get the startup config to the replacement switch? If you can specify the config to use (and your post implies that you can) then how does Smart Install get that particular config to the switch? Assuming that you can edit the production version of the saved startup config, then I would think that you could insert the crypto key generate command at the bottom of the startup config to be sent to the switch. If the startup config has already set the host name and set the domain name, then I would think that it would accept and execute the crypto key generate command. Note that if your config specifies any SSH parameters (version or anything else) then those commands need to be moved to the bottom of the startup config being sent to the replacement switch so that they execute after the crypto keys are generated.

HTH

Rick

HTH

Rick

Hello Richard,

Thanks for your answer.

Smart Install gets the config to the new switch by telnet. Since a factory-new Switch can do telnet, the initial config comes from the director. It connects to the switch over a non-standard telnet port and issues the copy command to get the startup config from the tftp server. After that it does the same with the IOS. We can't really do anything because every interaction with the new switch stops the smartinstall process.

In your desscribed solution (I will test it later this week) it could be a working solution for deploying new switches.

In my Scenario however there currently seems to be no way to enable ssh when the startup config is the last known configuration from the switch that died, beacuse this startup config we cannot manually edit (it would defeat the purpose of this feature), since it is backed up by the director and the logic of deciding wheter or not this config is to be used runs on the director.

I am in contact with "our guys" from cisco, and they are trying to get feedback from the developer team of this feature. I will keep testing new releases for this issue and will report any progress.

Markus

Yes, putting the crypto key generate command into the initial config file loaded into a new router or switch works well.

With what you have explained about Smart Install I can see that it might not work for replacing a failed switch.

It is one of the things about the crypto key and SSH that the key is generated in configuration mode but does not leave anything in the confiuration file that shows that the keys were generated or would cause the keys to be generated if the config were to be loaded onto a new box.

HTH

Rick

HTH

Rick

Richard Clayton
Level 1
Level 1

you could try this in your startup config

Rick

!

kron occurrence crypto_key in 2 oneshot

policy-list crypto_key

!

kron policy-list crypto_key

cli event manager run crypto_key

!

event manager applet crypto_key

event none sync yes

action 1 cli command "enable"

action 2 cli command "config t"

action 3 cli command "crypto key generate rsa modulus 2048"

action 4 cli command "exit"

action 5 cli command "write mem"

action 6 cli command "end"

!

Richard Clayton
Level 1
Level 1

Hi

This is the latest version that I use in the startup config, the first line bypasses authorization as I found the script failed when I tried it on a device with TACACS enabled.  I have used this on over 2000 routers now without any issues.

 

Thanks

Rick

 

!
event manager applet write_mem authorization bypass
event timer countdown time 80
action 1.0 cli command "enable"
action 1.1 cli command "write mem"
event manager applet crypto_key authorization bypass
event timer cron cron-entry "@reboot" maxrun 60
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "crypto key generate rsa modulus 2048"
action 1.3 cli command "end"
action 1.4 cli command "write mem" pattern "confirm|#"
action 1.5 regexp "confirm" "$_cli_result"
action 1.6 if $_regexp_result eq "1"
action 1.7 cli command "y"
action 1.8 end
action 1.9 cli command "config t"
action 2.0 cli command "no event manager applet crypto_key"
!

It doesn't work on CISCO C1111-4P  IOS XE16.9.2, in fact doesn't matter in which point of the configuration I put this script it's never executed or if it's executed it doesn't work 

 

adsyparker
Level 1
Level 1
Since this seems to be the go to result for this search, I'm going to add this to a 9 year old post.

On some switches (IE range) adding an empty file 'ssh.enable' to the SDFlash will tell the switch to generate a 1024-bit SSH key. I haven't seen this documented anywhere but it works on the IE2000.

What do you mean by SDFlash? is that the normal 'flash:' on the IE2000?
It didn't work on a IE2000-16T67P, using Version 15.2(4)EA5.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: