[c-nsp] 12.2-33.SXI3 SSH broken after changing IP

Matthew Huff mhuff at ox.com
Wed Jun 2 11:49:56 EDT 2010 

I ran into this a while back. Basically there is a broken hidden key that has to be deleted correctly. 

Basically, during the upgrade the key gets corrupted and becomes a phantom. You can't delete it with zeroize. The corruption is in the key label (which if you don't specify, is the fqdn) which gets corrupted with the last letter left off. 

For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co". 

The solution is to create a key with the bad label that will overwrite the phantom, then delete it: 

switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512 
switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co 

and the phantom key will be gone.

----
Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff
> Fitzwater
> Sent: Wednesday, June 02, 2010 11:40 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 12.2-33.SXI3 SSH broken after changing IP
> 
> My SSH connections fail after I changed IP address on box.
> 
> 6500 running 12.2-33.SXI3
> 
> I had this problem a long time ago and don't remember how to fix it.
> 
> I do see that there is a bug related to it CSCtc41114 but it relates to HOSTNAME change and the
> procedure doesn't work or I am not doing it right.
> 
> 
> I tried clearing the keys and re-generating them, but I still get AUTHENTICATION  failed on client,
> and on router I get logs ...
> 
> SSH2 1: RSA_sign: privae key not found
> SSH2 1: signature creation failed, status -1
> 
> 
> Any ideas.
> 
> 
> Thanks in advance.
> 
> 
> 
> Jeff Fitzwater
> OIT Network & Communications Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list