Re: Hello colleagues, I have had

rohan jadhav · ‎02-12-2014

Hello,

I have found on my Switch following logs that i want to eliminate & also want to know the reason how it has been generated?

Switch model is :

C3560E-UNIVERSALK9-M, Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

Feb 1 08:00:25.292 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 2 10:24:31.912 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 3 12:48:37.634 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 4 15:12:43.249 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 5 17:36:38.443 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 6 20:00:56.340 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 7 22:24:51.004 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 9 00:49:09.166 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 10 03:13:15.576 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 11 05:37:11.708 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 12 08:01:29.006 IST: %SYS-5-CONFIG_I: Configured from 172.22.27.206 by snmp

Feb 12 12:05:59.674 IST: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection.

Vasilii Mikhailovskii · ‎03-27-2014

I guess the SSH-3-SSH2_UNEXPECTED_MSG is caused by some weird or misconfigured SSH client or some network issue.

You could try to allow SSH access to your managememnt tools (by ACL) only and "deny log" all the other SSH packets. This way you could try to figure our the source of the packet.

Faruk Azam · ‎08-31-2015

Reloading the box and trying again should fix your issue.

guiyaume18 · ‎04-26-2016

Worked for me, thanks a lot :-)

rgpiesta1 · ‎06-20-2014

I also got this type of message in syslog when somebody from China source ip address was trying to access my router.

Jun 20 23:45:30 192.168.100.254 117: 000115: Jun 20 15:45:29.468: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 116.10.191.208
Jun 20 23:45:30 192.168.100.254 118: 000116: Jun 20 15:45:29.712: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 116.10.191.208

nkarthikeyan · ‎06-21-2014

Hi Rohan,

You might have upgraded IOS or changed the crypto key recently. So a ssh connection towards this device is trying with the old known host key which might caused the problem. If you or someone in your team trying for that... you can do delete the known host in the ssh client and try to do ssh which will solve the issue.

HTH

Regards

Karthik

pesokolo · ‎06-24-2014

Hello colleagues,

I have had the same message so I performed my own investigation.

Possible reasons for this message:

1. Changed rsa keys.

2. Network scanning and ssh password bruteforce attack.

Possibly some others as well, but this two I was able to find and reproduce.

Below technical details:

===========================================================

Please take into consideration that this is not a production router, but my home router. On production devices, all management connections should be limited to trusted management hosts and only secure protocols should be used. SSHv1 is not secure, use v2 only. Do not use "root" and "admin" usernames and simple dictionary passwords.

===========================================================

As in case with rgpiesta1, I have same chinese crackers constantly trying to bruteforce my router from network 116.10.191.x. Looks like this is a kind of "research network" .

This is a list I formed from logs in couple of days:

116.10.191.164
116.10.191.165
116.10.191.168
116.10.191.175
116.10.191.176
116.10.191.184
116.10.191.186
116.10.191.188
116.10.191.189
116.10.191.200
116.10.191.203
116.10.191.211
116.10.191.219
116.10.191.220
116.10.191.227

I suspect this algorithm is used:

1. Scan Internet to find IPs with opened tcp 22 port using tools like nmap and create a list of this IPs.

2. Use ssh-keyscan with this list to populate ssh_known_hosts file for IPs from step 1.

3. Automate login attempts and use password lists to bruteforce victims.

More technical details:

All identity information like hostnames, IPs, usernames is removed.

Test 1. Using ssh-keyscan.

Router side debug when ssh-keyscan is run against the router:

-----------------------------------------------------------------------------------------------------
Jun 24 21:47:01.249: SSH1: starting SSH control process
Jun 24 21:47:01.249: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
Jun 24 21:47:01.253: SSH1: protocol version id is - SSH-2.0-OpenSSH-keyscan
Jun 24 21:47:01.253: SSH2 1: SSH2_MSG_KEXINIT sent
Jun 24 21:47:01.257: SSH2 1: SSH2_MSG_KEXINIT received
Jun 24 21:47:01.257: SSH2 1: kex: client->server enc:aes128-ctr mac:hmac-md5
Jun 24 21:47:01.257: SSH2 1: kex: server->client enc:aes128-ctr mac:hmac-md5
Jun 24 21:47:01.257: SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1
Jun 24 21:47:01.457: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Jun 24 21:47:01.457: SSH2 1: Range sent by client is - 1024 < 1024 < 8192
Jun 24 21:47:01.457: SSH2 1: Modulus size established : 1024 bits
Jun 24 21:47:01.493: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Jun 24 21:47:01.493: SSH2 1: SSH2_MSG_KEXDH_INIT received
Jun 24 21:47:04.197: SSH2: kex_derive_keys complete
Jun 24 21:47:04.197: SSH2 1: SSH2_MSG_NEWKEYS sent
Jun 24 21:47:04.197: SSH2 1: waiting for SSH2_MSG_NEWKEYS
Jun 24 21:47:04.201: SSH2 1: SSH ERROR closing the connection
Jun 24 21:47:04: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from "client ip removed"
Jun 24 21:47:04: %SSH-5-SSH2_SESSION: SSH2 Session request from "client ip removed" (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-md5' Failed
Jun 24 21:47:04: %SSH-5-SSH2_CLOSE: SSH2 Session from "client ip removed" (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-md5' closed
Jun 24 21:47:04.301: SSH1: Session disconnected - error 0x00

-----------------------------------------------------------------------------------------------------

Client side debug:

-----------------------------------------------------------------------------------------------------
ssh-keyscan -vvv "server ip removed"
debug2: fd 3 setting O_NONBLOCK
debug1: no match: Cisco-1.25
# "server ip removed" SSH-2.0-Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 121/256
debug2: bits set: 540/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
"server ip removed" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrm/3xgNB0ThqK7535jfsOOEOB3+9yCFqisQLzLOR7BSpsZDVlsVdbxqqXMSvDHWUdWRip9taP+C79Hba5uM3bMaBGDFHHag5U7HtZUuYf9UpUYr76Pgv00NpcA2z2I2kmfNvYqBkd6ST0jFkB2vMWaJvWAGUTsbl3f9kjiCKjNTrHXGgxxYWzCASxMSGlBjQlJD4lAaOm0jbAw5rchgyTFQs32fdSN0akEXBWo0ARrnKT56ofZuwxUh8h2VeSTTjdkH6I3UJI66Vcud3L4RzbPGE4pjwOk/6xvYskx+kKyYoNR+kDKub/2xm0otu14yNWFe4pjZNIL7GFvGx+9l0ggfgMMuvYcrKLQuUmICfVUspfSDRRdNlyeawWL7CWu/RGKuUcY4aZobCt14wwhZq85FVNuhiVhCD3isGnkZiS5L2ugtNSjrIMPkvpwqzHclpuXNQSF0eKuZG4EwwMSH5AXs/1mh6DB0XRLzqcd2t9uM3tEAygVTn4UIWXgHwSZRVqAAkPhRwFcEFmviDKVzroWFGRRld/pRLzJ5dEwZ4TRegqn7UEaoCqV3nzmFFscgAJ6JsMgQomnHFC4JIAYIcZ2D7qyBJWHwpekWhek3WcOsFprsPiS/gI7ri8G+/z03XthzqSYB/fu/NstK7J6ycEC+PvvPg2zrfNBnqVpELFFQ==

===========================================================

Test 2. Changed RSA key.

Router configuration and debug:

-----------------------------------------------------------------------------------------------------
Generate new key:
myrouter(config)#crypto key generate rsa modulus 2048 label test_key
The name for the keys will be: test_key

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 14 seconds)

Changing keys used with ssh:
myrouter(config)#ip ssh rsa keypair-name test_key
Jun 24 22:21:55: %SSH-5-DISABLED: SSH 2.0 has been disabled
Jun 24 22:21:55.808: SSH: host key initialised
Jun 24 22:21:55: %SSH-5-ENABLED: SSH 2.0 has been enabled
Jun 24 22:21:56.360: SSH: successfully generated server key

Test connection from same client:
Jun 24 22:22:49.622: SSH1: starting SSH control process
Jun 24 22:22:49.622: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
Jun 24 22:22:49.630: SSH1: protocol version id is - SSH-2.0-OpenSSH_5.9
Jun 24 22:22:49.630: SSH2 1: SSH2_MSG_KEXINIT sent
Jun 24 22:22:49.634: SSH2 1: SSH2_MSG_KEXINIT received
Jun 24 22:22:49.634: SSH2 1: kex: client->server enc:aes128-ctr mac:hmac-md5
Jun 24 22:22:49.634: SSH2 1: kex: server->client enc:aes128-ctr mac:hmac-md5
Jun 24 22:22:49.634: SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1
Jun 24 22:22:49.834: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Jun 24 22:22:49.838: SSH2 1: Range sent by client is - 1024 < 1024 < 8192
Jun 24 22:22:49.838: SSH2 1: Modulus size established : 1024 bits
Jun 24 22:22:49.870: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Jun 24 22:22:49.874: SSH2 1: SSH2_MSG_KEXDH_INIT received
Jun 24 22:22:50.282: SSH2: kex_derive_keys complete
Jun 24 22:22:50.282: SSH2 1: SSH2_MSG_NEWKEYS sent
Jun 24 22:22:50.282: SSH2 1: waiting for SSH2_MSG_NEWKEYS
Jun 24 22:22:50.386: SSH2 1: SSH ERROR closing the connection
Jun 24 22:22:50: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from "client ip replaced"
Jun 24 22:22:50: %SSH-5-SSH2_SESSION: SSH2 Session request from "client ip replaced" (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-md5' Failed
Jun 24 22:22:50: %SSH-5-SSH2_CLOSE: SSH2 Session from "client ip replaced" (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-md5' closed
Jun 24 22:22:50.486: SSH1: Session disconnected - error 0x00

Client makes connection to known host:

-----------------------------------------------------------------------------------------------------
sh -vvv user@router
OpenSSH_5.9p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /Users/user/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to "router" [ip removed] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/user/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /Users/user/.ssh/id_rsa type 1
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "router" from file "/Users/user/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/user/.ssh/known_hosts:17
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 519/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 74:b9:ef:09:b2:91:fa:76:31:4e:57:59:52:a3:f5:1e
debug3: load_hostkeys: loading entries for host "removed" from file "/Users/user/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/user/.ssh/known_hosts:17
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "removed" from file "/Users/user/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/user/.ssh/known_hosts:15
debug3: load_hostkeys: loaded 1 keys
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
74:b9:ef:09:b2:91:fa:76:31:4e:57:59:52:a3:f5:1e.
Please contact your system administrator.
Add correct host key in /Users/user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/user/.ssh/known_hosts:17
RSA host key for "server ip removed" has changed and you have requested strict checking.
Host key verification failed.

-----------------------------------------------------------------------------------------------------

I hope this will be of some help.

Best regards,

Petr

Vasilii Mikhailovskii · ‎06-24-2014

Hello.

If you suspect brute-force attack, then the simplest way to mitigate it is to enable login delay/login block-for and quiet list (white-list).

This effectivly stops brute-force attacks and your IP will be removed rom potential victims list (my experience).

pesokolo · ‎06-25-2014

Dear Vasilii,

Thank you for your advice, but my post was about exact log message of this type:

Jun 24 21:47:04: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection

and about possible sources of this message, not about best practices and mitigation techniques which I know quite good and which I'm using in production. If you read it thoroughly enough, you should mention this.

Thank you for your added value but please take this for granted, even if you configure 'login block-for', you will still receive this message in case of changed keys or ssh-keyscan.

I performed my investigation for the simple reason, that when I received this message, I was curious about its source what SSH behavior can trigger it. I googled this message and found almost nothing except of this Cisco support forums question without any good enough answer to be accepted by technically savvy person!

I invested my time, tried different techniques and tools against my router and this is the result of my work.

I hope that my investigation will save time to other people, who will try to find information about this message and will find it here.

========================================================================

In short, this message means that SSH connection was closed by remote end because it is not interested to continue, like in case with ssh-keyscan, or it doesn't want to continue, like in case with changed RSA keys.

========================================================================

Warm regards,

Petr

James Tuson · ‎07-09-2016

Thanks this helped me a lot. Thanks for taking the time to research properly and post your findings.

Humam Al-Obaidi · ‎08-28-2017

please can you tell me what the commad you used for debug ssh

BRIAN O'LOUGHLIN · ‎04-07-2016

We ran into this issue recently on an ISR4321. After some experimentation, we found that adding ip ssh rsa keypair-name <hostname> resolved the problem for us.

LAB-RTR-099(config)#ip ssh rsa keypair-name LAB-RTR-099

Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).

This didn't work though. We need to name the keypair with the domain

LAB-RTR-099(config)# ip ssh rsa keypair-name LAB-RTR-099.router.com
LAB-RTR-099(config)#
*Apr 7 22:43:22.617: %SSH-5-ENABLED: SSH 2.0 has been enabled

Now that this is done, we can SSH to our router.

I don't know why this was all necessary as we have another identical router where we just generated the rsa keys, and it worked as it usually does.

dhirajgrover · ‎12-15-2016

Thanks! This trick worked for me on the following router:

Cisco IOS XE Software, Version 03.15.01c.S - Standard Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S1c, RELEASE SOFTWARE (fc1)

cisco ISR4451-X/K9 (2RU) processor with 7809895K/6147K bytes of memory.
...

Alpha Rafael · ‎07-12-2019

Agreed! I am working on a Cisco 4321 router and was following the SSH configuration procedure outlined in the CCNA Security 210-260 Official Cert Guide by Cisco Press. But when I tried to SSH to the device using Putty, I kept getting an error, "Signature from server's host key is invalid".

Once I named the keypair using <hostname>.<ip domain-name> for the name (eg. redkeep.kingslanding.com), suddenly I was able to SSH to the router.

Thanks to BRIAN O'LOUGHLIN for the tip!

chanjohn01 · ‎08-08-2016

We ran into the same issue. It turned out that we were missing the ACL that defined who could access our devices via ssh. We were basically wide open to brute-force attacks (as mentioned by pesokolo). The attacks caused the CPU% alarm to be triggered, which subsequently notified the NOC and allowed us to discover the underlying issue.