Generate Rsa Key On Cisco Switch
Contents
- Cisco Crypto Key Gen Rsa
- Crypto Key Generate Rsa Command
- Generate Rsa Key On Cisco Switch Free
- Create Rsa Keys Cisco
Introduction
- Dec 24, 2019 I then ran the crypto key generate rsa command to generate another key pair and still got the same end date. I then checked the version of my other switches in the network to see why they were not alerting about certificate end date and they were using iOS15.2.6 or later while this switch is still on 15.2.2.
- Actually, for maximum security, you can enable a username/password and public key authentication for access to your switch. In this article, I’ll show you how to enable public key authentication on an SG300 Cisco switch and how to generate the public and private key pairs using puTTYGen. I’ll then show you how to login using the new keys.
- As of Cisco IOS Release 12.4(11)T, peer public RSA key modulus values up to 4096 bits are automatically supported. The largest private RSA key modulus is 4096 bits. Therefore, the largest RSA private key a router may generate or import is 4096 bits.
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
This document discusses how to configure and debug SSH on Cisco routers or switches that run a version of Cisco IOS® Software that supports SSH. This document contains more information on specific versions and software images.
Dec 26, 2013 so it looks as if there is no point in the 'crypto key generate rsa' command if i follow it up with the 'crypto key generate rsa usage-keys label sshkeys mod 1024' command, i just wanted to make sure the first wasn't need for the second to work or something screwy like that. Aug 25, 2016 crypto key generate rsa Example: Switch (config)# crypto key generate rsa Enables the SSH server for local and remote authentication on the Switch and generates an RSA key pair. Generating an RSA key pair for the Switch automatically enables SSH.
Prerequisites
Requirements
The Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image.
Components Used
The information in this document is based on Cisco IOS 3600 Software (C3640-IK9S-M), Release 12.2(2)T1.
SSH was introduced into these Cisco IOS platforms and images:
SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S.
SSH client was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1.3.T.
SSH terminal-line access (also known as reverse-Telnet) was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.2.2.T.
SSH Version 2.0 (SSH v2) support was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E.
Refer to How to Configure SSH on Catalyst Switches Running CatOS for more information on SSH support in the switches.
Refer to the Software Advisor (registered customers only) for a complete list of feature sets supported in different Cisco IOS Software releases and on different platforms.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are in a live network, make sure that you understand the potential impact of any command before you use it.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
SSH v1 vs. SSH v2
Ssh key generation linux. Use the Cisco Software Advisor (registered customers only) in order to help you find the version of code with appropriate support for either SSH v1 or SSH v2.
Network Diagram
Test Authentication
Authentication Test without SSH
First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username 'cisco' and password 'cisco.'
Authentication Test with SSH
In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on Carter and test SSH from the PC and UNIX stations.
At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH configuration, test your ability to access the router from the PC and UNIX station. If this does not work, see the debug section of this document.
Optional Configuration Settings
Prevent Non-SSH Connections
If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.
Test to make sure that non-SSH users cannot Telnet to the router Carter.
Set Up an IOS Router or Switch as SSH Client
There are four steps required to enable SSH support on a Cisco IOS router:
Configure the hostname command.
Configure the DNS domain.
Generate the SSH key to be used.
Enable SSH transport support for the virtual type terminal (vtys).
If you want to have one device act as an SSH client to the other, you can add SSH to a second device called Reed. These devices are then in a client-server arrangement, where Carter acts as the server, and Reed acts as the client. The Cisco IOS SSH client configuration on Reed is the same as required for the SSH server configuration on Carter.
Issue this command to SSH from the Cisco IOS SSH client (Reed) to the Cisco IOS SSH server (Carter) in order to test this:
SSH v1:
SSH v2:
Setup an IOS Router as an SSH server that performs RSA based User Authentication
Complete these steps in order to configure the SSH server to perform RSA based authentication.
Specify the Host name.
Define a default domain name.
Generate RSA key pairs.
Configure SSH-RSA keys for user and server authentication.
Configure the SSH username.
Specify the RSA public key of the remote peer.
Specify the SSH key type and version. (optional)
Exit the current mode and return to privileged EXEC mode.
Note: Refer to Secure Shell Version 2 Support for more information.
Add SSH Terminal-Line Access
If you need outbound SSH terminal-line authentication, you can configure and test SSH for outbound reverse Telnets through Carter, which acts as a comm server to Philly.
If Philly is attached to Carter's port 2, then you can configure SSH to Philly through Carter from Reed with the help of this command:
SSH v1:
SSH v2:
You can use this command from Solaris:
Restrict SSH access to a subnet
You need to limit SSH connectivity to a specific subnetwork where all other SSH attempts from IPs outside the subnetwork should be dropped.
You can use these steps to accomplish the same:
Define an access-list that permits the traffic from that specific subnetwork.
Restrict access to the VTY line interface with an access-class.
This is an example configuration. In this example only SSH access to the 10.10.10.0 255.255.255.0 subnet is permitted, any other is denied access.
Note: The same procedure to lock down the SSH access is also applicable on switch platforms.
Configure the SSH Version
Configure SSH v1:
Configure SSH v2:
Configure SSH v1 and v2:
Note: You receive this error message when you use SSHv1:
Note: Cisco bug ID CSCsu51740 (registered customers only) is filed for this issue. Workaround is to configure SSHv2.
Variations on banner Command Output
The banner command output varies between the Telnet and different versions of SSH connections. This table illustrates how different banner command options work with various types of connections.
| Banner Command Option | Telnet | SSH v1 only | SSH v1 and v2 | SSH v2 only |
|---|---|---|---|---|
| banner login | Displayed before logging into the device. | Not displayed. | Displayed before logging into the device. | Displayed before logging into the device. |
| banner motd | Displayed before logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. |
| banner exec | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. | Displayed after logging into the device. |
Unable to Display the Login Banner
SSH version 2 supports the login banner. The login banner is displayed if the SSH client sends the username when it initiates the SSH session with the Cisco router. For example, when the Secure Shell ssh client is used, the login banner is displayed. When the PuTTY ssh client is used, the login banner is not displayed. This is because Secure Shell sends the username by default and PuTTY does not send the username by default.
The Secure Shell client needs the username to initiate the connection to the SSH enabled device. The Connect button is not enabled if you do not enter the host name and username. This screenshot shows that the login banner is displayed when Secure Shell connects to the router. Then, the login banner password prompt displays.
The PuTTY client does not require the username to initiate the SSH connection to the router. This screenshot shows that the PuTTY client connects to the router and prompts for the username and password. It does not display the login banner.
This screen shot shows that the login banner is displayed when PuTTY is configured to send the username to the router.
debug and show Commands
Before you issue the debug commands described and illustrated here, refer to Important Information on Debug Commands. Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
debug ip sshâDisplays debug messages for SSH.
show sshâDisplays the status of SSH server connections.
show ip sshâDisplays the version and configuration data for SSH.
Version 1 Connection and no Version 2
Version 2 Connection and no Version 1
Version 1 and Version 2 Connections
Sample Debug Output
Router Debug
Note: Some of this good debug output is wrapped to multiple lines because of spatial considerations.
Server Debug
Note: This output was captured on a Solaris machine.
What can go Wrong
These sections have sample debug output from several incorrect configurations.
SSH From an SSH Client Not Compiled with Data Encryption Standard (DES)
Solaris Debug
Router Debug
Bad Password
Router Debug
Cisco Crypto Key Gen Rsa
SSH Client Sends Unsupported (Blowfish) Cipher
Router Debug
Geting the '%SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for' Error
If you receive this error message, it may be caused due to any change in the domain name or host name. In order to resolve this, try these workarounds.
Zeroize the RSA keys and re-generate the keys.
If the previous workaround does not work, try these steps:
Zeroize all RSA keys.
Reload the device.
Create new labeled keys for SSH.
Cisco bug ID CSCsa83601 (registered customers only) has been filed to address this behaviour.
Troubleshooting Tips
If your SSH configuration commands are rejected as illegal commands, you have not successfully generated a RSA key pair for your router. Make sure you have specified a host name and domain. Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server.
When you configure the RSA key pair, you might encounter these error messages:
No hostname specified
You must configure a host name for the router using the hostname global configuration command.
No domain specified
You must configure a host domain for the router using the ip domain-name global configuration command.
The number of allowable SSH connections is limited to the maximum number of vtys configured for the router. Each SSH connection uses a vty resource.
SSH uses either local security or the security protocol that is configured through AAA on your router for user authentication. When you configure AAA, you must ensure that the console is not running under AAA by applying a keyword in the global configuration mode to disable AAA on the console.
No SSH server connections running.
This output suggests that the SSH server is disabled or not enabled properly. If you have already configured SSH, it is recommended that you reconfigure the SSH server in the device. Complete these steps in order to reconfigure SSH server on the device.
Delete the RSA key pair. After the RSA key pair is deleted, the SSH server is automatically disabled.
Note: It is important to generate a key-pair with at least 768 as bit size when you enable SSH v2.
Caution: This command cannot be undone after you save your configuration, and after RSA keys have been deleted, you cannot use certificates or the CA or participate in certificate exchanges with other IP Security (IPSec) peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again.Refer to crypto key zeroize rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on this command.
Reconfigure the hostname and domain name of the device.
Generate an RSA key pair for your router, which automatically enables SSH.
Refer to crypto key generate rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.
Note: You can receive the SSH2 0: Unexpected mesg type received error message due to a packet received that is not understandable by the router. Increase the key length while you generate rsa keys for ssh in order to resolve this issue.
Configure SSH server. In order to enable and configure a Cisco router/switch for SSH server, you can configure SSH parameters. If you do not configure SSH parameters, the default values are used.
ip ssh {[timeout seconds] [authentication-retries integer]}Refer to ip ssh - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.
Related Information
Contents
Introduction
This document gives step-by-step instructions to configure Secure Shell (SSH) Version 1 on Catalyst switches running Catalyst OS (CatOS). The version tested is cat6000-supk9.6-1-1c.bin.
Prerequisites
Requirements
This table shows the status of SSH support in the switches. Registered users can access these software images by visiting the Software Center.
| CatOS SSH | |
|---|---|
| Device | SSH Support |
| Cat 4000/4500/2948G/2980G (CatOS) | K9 images as of 6.1 |
| Cat 5000/5500 (CatOS) | K9 images as of 6.1 |
| Cat 6000/6500 (CatOS) | K9 images as of 6.1 |
| IOS SSH | |
| Device | SSH Support |
| Cat 2950* | 12.1(12c)EA1 and later |
| Cat 3550* | 12.1(11)EA1 and later |
| Cat 4000/4500 (Integrated Cisco IOS Software)* | 12.1(13)EW and later ** |
| Cat 6000/5500 (Integrated Cisco IOS Software)* | 12.1(11b)E and later |
| Cat 8540/8510 | 12.1(12c)EY and later, 12.1(14)E1 and later |
| No SSH | |
| Device | SSH Support |
| Cat 1900 | no |
| Cat 2800 | no |
| Cat 2948G-L3 | no |
| Cat 2900XL | no |
| Cat 3500XL | no |
| Cat 4840G-L3 | no |
| Cat 4908G-L3 | no |
* Configuration is covered in Configuring Secure Shell on Routers and Switches Running Cisco IOS.
** There is no support for SSH in 12.1E train for Catalyst 4000 running Integrated Cisco IOS Software.
Refer to Encryption Software Export Distribution Authorization Form in order to apply for 3DES.
This document assumes that authentication works prior to implementation of SSH (through the Telnet password, TACACS+) or RADIUS. SSH with Kerberos is not supported prior to the implementation of SSH.
Components Used
This document addresses only the Catalyst 2948G, Catalyst 2980G, Catalyst 4000/4500 series, Catalyst 5000/5500 series, and Catalyst 6000/6500 series running the CatOS K9 image. For more details, refer to the Requirements section of this document.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Network Diagram
Switch Configuration
Disabling SSH
In some situations it may be neccessary to disable SSH on the switch. You must verify whether SSH is configured on the switch and if so, disable it.
To verify if SSH has been configured on the switch, issue the show crypto key command. If the output displays the RSA key, then SSH has been configured and enabled on the switch. An example is shown here.
To remove the crypto key, issue the clear crypto key rsa command to disable SSH on the switch. An example is shown here.
debug in the Catalyst
To turn on debugs, issue the set trace ssh 4 command.
To turn off debugs, issue the set trace ssh 0 command.
debug Command Examples of a Good Connection
Solaris to Catalyst, Triple Data Encryption Standard (3DES), Telnet Password
Solaris
Catalyst
PC to Catalyst, 3DES, Telnet Password
Catalyst
Solaris to Catalyst, 3DES, Authentication, Authorization, and Accounting (AAA) Authentication
Solaris
Catalyst
debug Command Examples of What Can Go Wrong
Catalyst debug with Client Attempting [unsupported] Blowfish Cipher
Catalyst debug with Bad Telnet Password
Catalyst debug with Bad AAA Authentication
Troubleshoot
This section deals with different troubleshooting scenarios related to SSH configuration on Cisco switches.
Cannot Connect to Switch through SSH
Problem:
Cannot connect to the switch using SSH.
The debug ip ssh command shows this output:
Solution:
This problem occurs because of either of these reasons:
New SSH connections fail after changing the hostname.
SSH configured with non-labeled keys (having the router FQDN).
The workarounds for this problem are:
Crypto Key Generate Rsa Command
If the hostname was changed and SSH is no longer working, then zeroize the new key and create another new key with the proper label.
Do not use anonymous RSA keys (named after the FQDN of the switch). Use labeled keys instead.
In order to resolve this problem forever, upgrade the IOS software to any of the versions in which this problem is fixed.
Generate Rsa Key On Cisco Switch Free
A bug has been filed about this issue. For more information, refer to Cisco bug ID CSCtc41114 (registered customers only) .