[c-nsp] ssh Crypto key broke ??

Jeff Fitzwater jfitz at Princeton.EDU
Mon Feb 28 15:40:27 EST 2011


I just added VRF interface SVI and still have old non-vrf SVI.

If there is a phantom key, that may have been introduced (name unknown), is there a way to see them in some kind of dump?


Jeff
On Feb 28, 2011, at 15:19 , Bill Blackford wrote:

> This could be way off base here, but if changing to a new VRF is
> anything like changing a hostname, then you're require a reboot.
> 
> -b
> 
> 
> 
> On Mon, Feb 28, 2011 at 11:08 AM, Jeff Fitzwater <jfitz at princeton.edu> wrote:
>> Running 12.2.33-SXI3 on 6500
>> 
>> 
>> Config had one IP interface.
>> 
>> Also had SSH enabled with crypto key mod 1024 and all has been working for ever.
>> 
>> NOW COMES THE CHANGE....
>> 
>> 
>> Had to add new VRF interface.
>> 
>> Made VTY vrf-aware and added new IP to VTY ACL.
>> 
>> 
>> Initially I could SSH using new IP and OLD.
>> 
>> About an hour later SSH stopped working with log errors shown below.
>> 
>> 
>> 
>> SSH2 1: RSA_sign: private key not found
>> SSH2 1: signature creation failed, status -1
>> 
>> 
>> 
>> I cleared crypto keys but no luck.
>> Also cleared my local .ssh2 hostkeys.
>> 
>> Also see there is still crypto bug that truncates last character of key name leaving a phantom key.
>> 
>> -----
>> This is fix for bug, but it did not work either...
>> 
>> ---------  This was note from my CISCO rep.
>> 
>> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>> 
>> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>> 
>> switch-core1(config)#crypto key generate rsa general-keys label switch-core1.ox.co modulus 512
>> switch-core1(config)#crypto key zeroize rsa switch-core1.ox.co
>> 
>> and the phantom key will be gone.
>> 
>> ------------
>> 
>> 
>> 
>> 
>> Need help... any ideas???
>> 
>> 
>> 
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> 
> 
> -- 
> Bill Blackford
> Network Engineer
> 
> Logged into reality and abusing my sudo privileges.....




More information about the cisco-nsp mailing list