03-22-2021 04:07 AM
Hello, I tried generating RSA key using 2048 bits on switch model : WS-C3560CX-8PC-S
But after saving the configuration and I type sh ssh, I still get :- Minimum expected Diffie Hellman key size : 1024 bits
03-22-2021 04:30 AM - edited 03-22-2021 04:55 AM
you have to type the name of your ssh.
show crypto key mypubkey rsa
also you can double check what is your ssh configuration configured on your switch with command
show run all | i ssh
show crypto key mypubkey all
show run all | i ssh
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh break-string ~break
ip ssh version 2
ip ssh dh min size 1024
no ip ssh rekey time
no ip ssh rekey volume
ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
ip ssh client algorithm mac hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
transport input ssh
transport input ssh
(config)#ip ssh dh min size 2048
03-22-2021 04:57 AM
I wrote a guide for SSH-setup some time ago. Just follow that and it should work:
https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344
03-23-2021 07:13 AM
Hello Karsten,
I actually used your guide but it seems the Switch does not accept 2048 bits of rsa keys.
While generating the rsa keys, I specified 2048 bits, after the configuration, I save the config using " do write" on the global configuration mode.
Once i telnet into the switch and type "sh ip ssh" on the CLI, it stills shows Minimum expected Diffie Hellman key size : 1024 bits.
I do not know if this is peculiar to version 15.0(2a)EX5
03-23-2021 08:55 AM
If it generally complains about 1024 bit keys:
This is a typical symptom when the SSH-process does not know which RSA-key to use. Make sure that you sign a table to your key when generating the keys and using this same label when assigning the key to SSH.
If it complains about the DH-keys:
make sure that you have
ip ssh dh min size 2048
in your config. These commands are all available in your IOS-version.
03-23-2021 01:22 PM
@Karsten Iwen I was looking into the show run but could not find until i give command show run all
which produce this below configuration
show run all | i ssh
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh break-string ~break
ip ssh version 2
ip ssh dh min size 1024
no ip ssh rekey time
no ip ssh rekey volume
ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
ip ssh client algorithm mac hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
transport input ssh
transport input ssh
(config)#ip ssh dh min size 2048
I noted in order to get the 2048 key you have to configure it manually and that what i recommand to @ugwuugochukwukizito
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide