Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32130
Views
27
Helpful
4
Replies

How to verify the SSH version 2 key length

robert.huang
Level 1
Level 1

‎01-22-2010 10:26 AM - edited ‎03-06-2019 09:25 AM

Hi All,

I would like to know the SSH version 2 key length on my 2821 router like 768, 1024 or 2048. Is there a show command or other command to do the job? I tried "show ssh" and "show ip ssh" but won't help.

Any input will be appreciated.

Labels:
0 Helpful
4 Replies 4

glen.grant
VIP Alumni
VIP Alumni

‎01-22-2010 04:02 PM

  I don't know any command that will tell you that . You can look at the key itself but it does not tell you what length the key is .  

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-22-2010 09:35 PM 

Hi All,
I
would like to know the SSH version 2 key length on my 2821 router like
768, 1024 or 2048. Is there a show command or other command to do the
job? I tried "show ssh" and "show ip ssh" but won't help.
Any input will be appreciated.

Hi Robert,

As suggested it is not possible to check the key length but genral speaking about the modulus lenghth is  When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 12 for sample times) and takes longer to use.

Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.

Note As of Cisco IOS Release 12.4(11)T, peer public RSA key modulus values up to 4096 bits are automatically supported.

The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.

The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.

Sample Times by Modulus Length to Generate RSA Keys
Router           360 bits                 512 bits           1024 bits               2048 bits (maximum)

Cisco 2500   11 seconds             20 seconds      4 minutes, 38 seconds more than 1 hour

Cisco 4700   less than 1 second   1 second       4 seconds    50 seconds

Hope to help

Regards

Ganesh.H

0 Helpful

ravi rajani
Level 1
Level 1

‎10-25-2017 10:56 PM

We cannot find from show commands in cisco switches. But if you login through putty, right click on putty icon of the device, select even logs. Go down, it will show the RSA key value used, whether 1024 or 2048.

MaxFisher925
Level 1
Level 1

‎06-18-2020 02:05 PM

"show ip ssh" shows the modulus of the local key in output as below.

 

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): HTTPS_SS_CERT_KEYPAIR
Modulus Size : 768 bits
ssh-rsa XXXXX

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card