Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ssh between switches not working

Hello,

We have a network of more than 1000 network devices. We introduced ssh a number of years ago. At the time we used key modulus 512. We are now implementing modulus 1024 with any new devices being installed. Yesterday we installed a  switch (2960 - 12.2.52SE) and generated keys etc. But when we tried to ssh to an older switch (2950 - 12.1.22EA10a) it gave the following error messages:

Server's public key below the mandatory size of 768 bits!

SSH2 CLIENT 0: signature verification failed, status -1

Zeroizing the key on the old switch and re-generating it with a higher modulus works, but is there another way? At the time when we installed the older switches it never complained about the mandatory size. Why does the command "crypto key generate" allow for a size starting at 360 bits??

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ssh between switches not working

Hi ,

RSA keys size for SSH v2 is atleast 768 bits.

If on one router you have version 2 and on the other one is version 1.99 you must specify the version on the other end. (higher to lower version)

For example :

ssh -l user - v 1 192.168.1.1

HTH

Dan

2 REPLIES

Re: ssh between switches not working

Hi ,

RSA keys size for SSH v2 is atleast 768 bits.

If on one router you have version 2 and on the other one is version 1.99 you must specify the version on the other end. (higher to lower version)

For example :

ssh -l user - v 1 192.168.1.1

HTH

Dan

New Member

Re: ssh between switches not working

Thank you ever so much.

It is very odd. I can putty to the switch and "show ssh" gives me

connection 0 connected with version 2.0, encryption 3des-cbc

On one of the new switches it gives me:

connection 0 connected with version 2.0, encryption aes256-cbc

Putty seems to ignore the 768 bits rule.

Yes, connecting between old switches (or specifying v1 from a new switch) connects then with version 1.5. From an old switch I couldn't specify the version to choose 2 rather than default.

Thanks anyway. This is a great help. Will get the keys regenerated at some point.

1155
Views
0
Helpful
2
Replies