[c-nsp] Failed crypto key generate after upgrading to SXI3

Andrew Yourtchenko ayourtch at cisco.com
Tue Dec 29 06:32:04 EST 2009


Ok, the guy who dealt first hand with this bug is sitting 2 meters from 
me, so we doublechecked with him and indeed looks like the workaround does 
not work in all occasions, maybe we'll need to adjust the release notes.

He was interested to debug this further with you - so if you are 
up for it, fire up a new case and unicast me the # - I'll get you two 
together, so you can get to the bottom of it.

cheers,
andrew

On Mon, 28 Dec 2009, Matthew Huff wrote:

> It certainly looks like bug CSCtc41114, but the work around (to use labeled rsa keys) doesn't work either.
>
> CSCtc41114 Bug Details
> New SSH sessions with RSA key fails after changing hostname
>
> Symptom:
> SSH connections fail to the switch, "debug ip ssh" shows :
>
> SSH2 0: RSA_sign: private key not found
> SSH2 0: signature creation failed, status -1
> SSH0: Session disconnected - error 0x00
>
>
> Conditions:
> This is seen notably on 12.2(33)SXI after one of the following events :
> - changing the "hostname" on the device
> - performing an SSO switchover to the standby Supervisor
>
>
> Workaround:
> Do not use anonymous RSA keys (named after the FQDN of the switch). This problem is not seen when using labeled RSA keys :
>
> crypto key generate rsa general-keys label (label) mod (modulus) [exportable]
>
>
>
> Further Problem Description:
> The fix for CSCtc41114 was integrated into SXH but did not yet make it into SXI :
> - builds up to SXI3 are affected
> - the fix will be available in SXI4
>
> Another message seen on recent builds when regenerating RSA keys, is :
>
> %CHKPT-4-GET_HUGE_BUF: Client 162 buffer requested (size = 4256) is too large
>
> This message is not related to this SSH issue, it is harmless and does not indicate an error (it comes from an additional check on
> SSO sync buffer size).
>
> ----
> Matthew Huff       | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com  | Phone: 914-460-4039
> aim: matthewbhuff  | Fax:   914-460-4139
>
>
>
>> -----Original Message-----
>> From: Andrew Yourtchenko [mailto:ayourtch at cisco.com]
>> Sent: Monday, December 28, 2009 10:43 AM
>> To: Matthew Huff
>> Subject: Re: [c-nsp] Failed crypto key generate after upgrading to SXI3
>>
>> Hi Matthew,
>>
>> It looks like CSCtc41114.
>>
>> Generating the labeled RSA keys instead of the anonymous ones should work.
>>
>> If the labeled RSA keys work for you, feel free to update the list.
>>
>> cheers,
>> andrew
>>
>> On Mon, 28 Dec 2009, Matthew Huff wrote:
>>
>>> I've got 4 x Cisco 6509 with sup720. After upgrading to SXI3, ssh/scp is failing. Even if I  zeroize
>> the keys, and start over, it's failing. Anyone seen this yet?
>>>
>>> switch-xxxx1(config)#crypto key zeroize rsa
>>> % All RSA keys will be removed.
>>> % All router certs issued using these keys will also be removed.
>>> Do you really want to remove these keys? [yes/no]: yes
>>>
>>> switch-xxxx1(config)#crypto key generate rsa general-keys modulus 512
>>> The name for the keys will be: xxx.xx.com
>>>
>>> % The key modulus size is 512 bits
>>> % Generating 512 bit RSA keys, keys will be non-exportable...[OK]
>>>
>>> 000909: Dec 28 09:59:19.032 EST: %CHKPT-4-GET_HUGE_BUF: Client 162 buffer requested (size = 4256) is
>> too large
>>>
>>>
>>> when you ssh in, you immediately disconnect and the log shows:
>>>
>>> switch-xxxx1#
>>> 000911: Dec 28 10:01:06.717 EST: SSH2 1: RSA_sign: private key not found
>>> 000912: Dec 28 10:01:06.717 EST: SSH2 1: signature creation failed, status -1
>>>
>>> ----
>>> Matthew Huff       | One Manhattanville Rd
>>> OTA Management LLC | Purchase, NY 10577
>>> http://www.ox.com  | Phone: 914-460-4039
>>> aim: matthewbhuff  | Fax:   914-460-4139
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>


More information about the cisco-nsp mailing list