12-01-2009 09:46 AM
Hi,
Imagine I have 500 Cisco switches (2950, 3750, 4507), IOS 12.3 but some may have different IOS level.
I know that some of these switches got 'cry key gen rsa' key size = 512.
I need to have key size = 800 bit.
We do not have Cisco Works in place. Someone in my organization tells me that I would need all these switches at 800 bit otherwise CiscoWorks can't login to it. Does that make sense? I am not sure if I understand that correctly.
Question:
If it is true that CiscoWorks can't access such switches and let me change that setting automatically, do you know any script which I could use to let me run against a list of IP addresses and query the switches to find out where RSA key is 800 bits? If it is not 800 bit, I would like to log a message so that I could go manually to the switch to re-execute 'cry key gen rsa' and do 800 bit instead.
Solved! Go to Solution.
12-01-2009 10:10 AM
12-01-2009 09:49 AM
IOS 12.3 doesn't run on any of these switches.
LMS can login to switches with an RSA modulus of 512 bits. It will just use SSHv1 instead of v2. I do not know of any pre-built scripts to change the modulus size; however, it would be relatively trivial to do with expect. You could deploy one command to avoid the interactivity:
crypto key generate rsa gen mod 800
12-01-2009 10:04 AM
Sorry for the misinformation regarding the IOS version.
c3750-ipservices-mz.122-25.SEE3/c3750-ipservices-mz.122-25.SEE3.bin
So based on what you are saying, it could be just possible make LMS connect to every single switch and at that point I could run the command (eliminating the interactivity) and set them all to 800.
12-01-2009 10:10 AM
Yes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: