cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
746
Views
0
Helpful
3
Replies

Any script to let me find out which Cisco switches have RSA key less than 800 bit?

news2010a
Level 3
Level 3

Hi,


Imagine I have 500 Cisco switches (2950, 3750, 4507), IOS 12.3 but some may have different IOS level.

I know that some of these switches got 'cry key gen rsa' key size = 512.

I need to have key size = 800 bit.

We do not have Cisco Works in place. Someone in my organization tells me that I would need all these switches at 800 bit otherwise CiscoWorks can't login to it. Does that make sense? I am not sure if I understand that correctly.

Question:
If it is true that CiscoWorks can't access such switches and let me change that setting automatically, do you know any script which I could use to let me run against a list of IP addresses and query the switches to find out where RSA key is 800 bits? If it is not 800 bit, I would like to log a message so that I could go manually to the switch to re-execute 'cry key gen rsa' and do 800 bit instead.

1 Accepted Solution

Accepted Solutions
3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

IOS 12.3 doesn't run on any of these switches.

LMS can login to switches with an RSA modulus of 512 bits.  It will just use SSHv1 instead of v2.  I do not know of any pre-built scripts to change the modulus size; however, it would be relatively trivial to do with expect.  You could deploy one command to avoid the interactivity:

crypto key generate rsa gen mod 800

Sorry for the misinformation regarding the IOS version.

c3750-ipservices-mz.122-25.SEE3/c3750-ipservices-mz.122-25.SEE3.bin

So based on what you are saying, it could be just possible make LMS connect to every single switch and at that point I could run the command (eliminating the interactivity) and set them all to 800.

Yes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: