Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3560 not using new crypto key

Hi

I have a 3560 running 12.2(25)SEE3 which has a 768 bit key.  We need to replace that key with a 1024 bit key. 

After I create the new key, it appears that the switch does not use it.  Looging in with putty and looking at the (putty) log, I see the following:

2013-09-10 11:47:25    Host key fingerprint is:

2013-09-10 11:47:25    ssh-rsa 768 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

2013-09-10 11:47:25    Initialised AES-256 CBC client->server encryption

2013-09-10 11:47:25    Initialised HMAC-SHA1 client->server MAC algorithm

This is after I zerosized the key and then recreated it.

Thoughts

Thanks

-Doug

Everyone's tags (4)
4 REPLIES
Hall of Fame Super Silver

3560 not using new crypto key

Did you recreate using "crypto key generate rsa"?

You don't perhaps have a different heypair hardcoded do you? (e.g. "ip ssh keypair-name ___")

New Member

3560 not using new crypto key

router#crypto key zeroize rsa

then

router#crypto key gen rsa gen mod 1024

It seemingly generates the key as it should, but does not seem to be using it for ssh connections.

router#sh run | i ssh

ip ssh version 2

transport input ssh

transport input ssh

I don't think I am able to set a specific keypair for ssh.

Thanks

Hall of Fame Super Silver

3560 not using new crypto key

Hmmm.

If you try to ssh in anew after doing the zeroize but before regenerating is the connection accepted?

You do have an "ip domain-name" configured right? "crypto key gen rsa" should require it but I shouldn't assume...

New Member

3560 not using new crypto key

Once I zerosize the "old" key out and before I create a new one, i am still able to ssh into the switch.

I do have an ip domain-name configured.

Wish I could reload with the new key and see if that resolves it.

Thanks

283
Views
0
Helpful
4
Replies