SSH Version 2 Problem

PsyOps

PsyOps

Pixelated
Another problem...

We just upgraded our IOS on a Cisco 3560 switch. We have 3 other identical switches that don't have this problem:

I am trying to configure SSH v2. I created the RSA key at 1024 but every time I try to apply the 'ip ssh version 2' command I get:

'Please create RSA keys to enable SSH (of at least 768 bit size) to enable SSH v2'

Has anyone had this problem? A fix for it? Like I said, we have 3 other switches with identical IOSs on them and they don't have this problem.

TIA
 
Last edited:
PsyOps

PsyOps

Pixelated
CrashTest said:
I assume you had to reinstall a key since a zeroize deletes signature keys.
Click to expand...

Yes. Normally you can reinitiate new key pairs, which would delete the existing keys. But for some reason that wasn't working. The existing key pairs probably got corrupted by an IOS upgrade.
 
CrashTest

CrashTest

Well-Known Member
Other things to watch is with the clock setting. If you install keys on box that has never been on the network or has not had the clock set, the keys show up as being created back in the 1990's. Then when the box is installed on the network and gets it's clock from NTP, the key is 15 years old. Don't know if keys expire by default but if they don't, they should. Especially if it's 15 years old.

Also - I think keys go in as "temporary" keys until the box can communicate with it's domain. This can be seen when you display the key. Not sure what results when you're dealing with "temporary" keys versus "permanent" keys but it's just an observation I've made.
 
PsyOps

PsyOps

Pixelated
CrashTest said:
Other things to watch is with the clock setting. If you install keys on box that has never been on the network or has not had the clock set, the keys show up as being created back in the 1990's. Then when the box is installed on the network and gets it's clock from NTP, the key is 15 years old. Don't know if keys expire by default but if they don't, they should. Especially if it's 15 years old.

Also - I think keys go in as "temporary" keys until the box can communicate with it's domain. This can be seen when you display the key. Not sure what results when you're dealing with "temporary" keys versus "permanent" keys but it's just an observation I've made.
Click to expand...

That's an excellent point. This was a switch that was off our network. Even though we're running NTP I bet it didn't synchronize before I tried initiating the rsa key.

I also didn't even both to verify the domain on the existing leys. But I would still think when I try to install new keys, it should still wipe the old key and build new one with the domain.

You made some excellent points that I need to pay better attention of next time.

:buddies:
 
You must log in or register to reply here.
Top