Enable SSH V2

Answered Question
Nov 23rd, 2011

Hi, i have a switch 2960 24TC-L with c2960-lanbasek9-mz.150-1.SE.bin and SSH v1 enabled.

When i try to enable SSH v2 the swith tell me that i have to create a crypto key rsa. I generated the crypto key rsa with 1024 bits and when i try to enable the SSH v2 i receive the same message.

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 2 years 4 months ago

Damian,

The current SSH session should not break during the recommended operation. However, for maximum resiliency, I would personally suggest using a different CLI access method (Console or Telnet) just to make sure the SSH session does not get corrupted. In any case, if the SSH session was closed before the SSH keys are generated anew, you would not be able to SSH into the device anymore.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
Peter Paluch Wed, 11/23/2011 - 15:53

Hi Damian,

Can you please post the exact message the switch tells you when trying to enable the SSHv2? Just in case, SSH v1.99 means - strangely enough - that the switch is running both SSHv1 and SSHv2.

Best regards,

Peter

naiduccnp Thu, 11/24/2011 - 05:02

Hi Damian,

Follow the below procedure in order to get enabled ssh v2 on your router.

Firstly is ssh enabled?

router#sh ip ssh
SSH Disabled - version 2.0
%Please create RSA keys to enable SSH.
Authentication timeout: 60 secs; Authentication retries: 5

In this case its not, if you got a error saying that sh ip ssh is not
recognized then you would know that ssh is not supported or possibly
that the command is different for your platform.

How to enable SSH on a Cisco 800 series

router# config term
router(config)#crypto key generate rsa usage-keys label router-key
The name for the keys will be: router-key
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

router (config)#
000047: *Mar 1 20:40:50.843 UTC: %SSH-5-ENABLED: SSH 1.99 has been enabled
router (config)#exit

According to the line above SSH has been enabled, we can confirm this
by running the sh ip ssh command again.

router#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

router#

Now setting the router up to accept ssh logins

Usually it will anyway because by default the transport is set to all

transport preferred all
transport input all

But we want to change that

Router#conf t

line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
login local
transport preferred ssh
transport input ssh
!
Write your config and test it.

Please rate the helpfull posts.

Regards,

Naidu.

naiduccnp Thu, 11/24/2011 - 05:32

So what is the issue you are facing?

Please rate the helpfull posts.

Regards,

Naidu.

Peter Paluch Thu, 11/24/2011 - 06:55

Damian,

I apologize for not checking the screenshots you have attached. Hmm, this is an interesting issue. Perhaps you have several RSA keypairs configured, and the SSH is using some short keypair that does not allow running SSHv2.

I suggest erasing all existing RSA keypairs using the crypto key zeroize rsa as follows:

configure terminal

crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

Then try generating a new RSA keypair anew:

configure terminal

crypto key generate rsa label ssh modulus 1024

The name for the keys will be: ssh

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 3 seconds)

This alone should make sure that the SSH is able to run in SSHv2. In addition, I have given the keypair a special name that can be used to select it in diverse applications. We can make sure that SSH is using this particular RSA keypair using these commmands:

configure terminal

ip ssh rsa keypair-name ssh

Then you should be able to run SSHv2. Can you verify that? Thanks!

Best regards,

Peter

Correct Answer
Peter Paluch Thu, 11/24/2011 - 07:33

Damian,

The current SSH session should not break during the recommended operation. However, for maximum resiliency, I would personally suggest using a different CLI access method (Console or Telnet) just to make sure the SSH session does not get corrupted. In any case, if the SSH session was closed before the SSH keys are generated anew, you would not be able to SSH into the device anymore.

Best regards,

Peter

Actions

Login or Register to take actions

This Discussion

Posted November 23, 2011 at 3:51 PM
Stats:
Replies:10 Avg. Rating:4
Views:20574 Votes:0
Shares:0
Tags: ssh, enable, switch, 2960, v2
+

Related Content

Discussions Leaderboard