[c-nsp] ssh Crypto key broke ??
Jeff Fitzwater
jfitz at Princeton.EDU
Mon Feb 28 14:08:28 EST 2011
Running 12.2.33-SXI3 on 6500
Config had one IP interface.
Also had SSH enabled with crypto key mod 1024 and all has been working for ever.
NOW COMES THE CHANGE....
Had to add new VRF interface.
Made VTY vrf-aware and added new IP to VTY ACL.
Initially I could SSH using new IP and OLD.
About an hour later SSH stopped working with log errors shown below.
SSH2 1: RSA_sign: private key not found
SSH2 1: signature creation failed, status -1
I cleared crypto keys but no luck.
Also cleared my local .ssh2 hostkeys.
Also see there is still crypto bug that truncates last character of key name leaving a phantom key.
-----
This is fix for bug, but it did not work either...
--------- This was note from my CISCO rep.
For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
and the phantom key will be gone.
------------
Need help... any ideas???
Jeff Fitzwater
OIT Network Systems
Princeton University
More information about the cisco-nsp
mailing list