[c-nsp] ssh Crypto key broke ??

[Bill Blackford]

This could be way off base here, but if changing to a new VRF is
anything like changing a hostname, then you're require a reboot.

-b



On Mon, Feb 28, 2011 at 11:08 AM, Jeff Fitzwater <jfitz at princeton.edu> wrote:
> Running 12.2.33-SXI3 on 6500
>
>
> Config had one IP interface.
>
> Also had SSH enabled with crypto key mod 1024 and all has been working for ever.
>
> NOW COMES THE CHANGE....
>
>
> Had to add new VRF interface.
>
> Made VTY vrf-aware and added new IP to VTY ACL.
>
>
> Initially I could SSH using new IP and OLD.
>
> About an hour later SSH stopped working with log errors shown below.
>
>
>
> SSH2 1: RSA_sign: private key not found
> SSH2 1: signature creation failed, status -1
>
>
>
> I cleared crypto keys but no luck.
> Also cleared my local .ssh2 hostkeys.
>
> Also see there is still crypto bug that truncates last character of key name leaving a phantom key.
>
> -----
> This is fix for bug, but it did not work either...
>
> ---------  This was note from my CISCO rep.
>
> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>
> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>
> switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
> switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
>
> and the phantom key will be gone.
>
> ------------
>
>
>
>
> Need help... any ideas???
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Bill Blackford
Network Engineer

Logged into reality and abusing my sudo privileges.....