[c-nsp] Failed crypto key generate after upgrading to SXI3

Matthew Huff mhuff at ox.com
Mon Dec 28 10:50:41 EST 2009 

It certainly looks like bug CSCtc41114, but the work around (to use labeled rsa keys) doesn't work either.

CSCtc41114 Bug Details
New SSH sessions with RSA key fails after changing hostname

Symptom:
SSH connections fail to the switch, "debug ip ssh" shows :

SSH2 0: RSA_sign: private key not found
SSH2 0: signature creation failed, status -1
SSH0: Session disconnected - error 0x00


Conditions:
This is seen notably on 12.2(33)SXI after one of the following events :
- changing the "hostname" on the device
- performing an SSO switchover to the standby Supervisor


Workaround:
Do not use anonymous RSA keys (named after the FQDN of the switch). This problem is not seen when using labeled RSA keys :

crypto key generate rsa general-keys label (label) mod (modulus) [exportable]



Further Problem Description:
The fix for CSCtc41114 was integrated into SXH but did not yet make it into SXI :
- builds up to SXI3 are affected
- the fix will be available in SXI4

Another message seen on recent builds when regenerating RSA keys, is :

%CHKPT-4-GET_HUGE_BUF: Client 162 buffer requested (size = 4256) is too large

This message is not related to this SSH issue, it is harmless and does not indicate an error (it comes from an additional check on
SSO sync buffer size).

----
Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -----Original Message-----
> From: Andrew Yourtchenko [mailto:ayourtch at cisco.com]
> Sent: Monday, December 28, 2009 10:43 AM
> To: Matthew Huff
> Subject: Re: [c-nsp] Failed crypto key generate after upgrading to SXI3
> 
> Hi Matthew,
> 
> It looks like CSCtc41114.
> 
> Generating the labeled RSA keys instead of the anonymous ones should work.
> 
> If the labeled RSA keys work for you, feel free to update the list.
> 
> cheers,
> andrew
> 
> On Mon, 28 Dec 2009, Matthew Huff wrote:
> 
> > I've got 4 x Cisco 6509 with sup720. After upgrading to SXI3, ssh/scp is failing. Even if I  zeroize
> the keys, and start over, it's failing. Anyone seen this yet?
> >
> > switch-xxxx1(config)#crypto key zeroize rsa
> > % All RSA keys will be removed.
> > % All router certs issued using these keys will also be removed.
> > Do you really want to remove these keys? [yes/no]: yes
> >
> > switch-xxxx1(config)#crypto key generate rsa general-keys modulus 512
> > The name for the keys will be: xxx.xx.com
> >
> > % The key modulus size is 512 bits
> > % Generating 512 bit RSA keys, keys will be non-exportable...[OK]
> >
> > 000909: Dec 28 09:59:19.032 EST: %CHKPT-4-GET_HUGE_BUF: Client 162 buffer requested (size = 4256) is
> too large
> >
> >
> > when you ssh in, you immediately disconnect and the log shows:
> >
> > switch-xxxx1#
> > 000911: Dec 28 10:01:06.717 EST: SSH2 1: RSA_sign: private key not found
> > 000912: Dec 28 10:01:06.717 EST: SSH2 1: signature creation failed, status -1
> >
> > ----
> > Matthew Huff       | One Manhattanville Rd
> > OTA Management LLC | Purchase, NY 10577
> > http://www.ox.com  | Phone: 914-460-4039
> > aim: matthewbhuff  | Fax:   914-460-4139
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091228/e347d6c5/attachment-0001.bin>

More information about the cisco-nsp mailing list