Any script to let me find out which Cisco switches have RSA key less than 800 bit?

Answered Question
Dec 1st, 2009


Imagine I have 500 Cisco switches (2950, 3750, 4507), IOS 12.3 but some may have different IOS level.

I know that some of these switches got 'cry key gen rsa' key size = 512.

I need to have key size = 800 bit.

We do not have Cisco Works in place. Someone in my organization tells me that I would need all these switches at 800 bit otherwise CiscoWorks can't login to it. Does that make sense? I am not sure if I understand that correctly.

If it is true that CiscoWorks can't access such switches and let me change that setting automatically, do you know any script which I could use to let me run against a list of IP addresses and query the switches to find out where RSA key is 800 bits? If it is not 800 bit, I would like to log a message so that I could go manually to the switch to re-execute 'cry key gen rsa' and do 800 bit instead.

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 6 years 11 months ago


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Joe Clarke Tue, 12/01/2009 - 09:49

IOS 12.3 doesn't run on any of these switches.

LMS can login to switches with an RSA modulus of 512 bits.  It will just use SSHv1 instead of v2.  I do not know of any pre-built scripts to change the modulus size; however, it would be relatively trivial to do with expect.  You could deploy one command to avoid the interactivity:

crypto key generate rsa gen mod 800

news2010a Tue, 12/01/2009 - 10:04

Sorry for the misinformation regarding the IOS version.


So based on what you are saying, it could be just possible make LMS connect to every single switch and at that point I could run the command (eliminating the interactivity) and set them all to 800.


This Discussion