[c-nsp] ssh Crypto key broke ??

Vinny_Abello at Dell.com Vinny_Abello at Dell.com
Mon Feb 28 16:51:18 EST 2011


show crypto key mypubkey rsa

Also, I have found you can change the hostname if you specify the new keypair-name using:

ip ssh rsa keypair-name <keypair-name>

Just be sure to do this after changing the hostname or domain suffix but BEFORE you disconnect. Otherwise new SSH connections will be broken. Test it of course prior to disconnecting your working session. :) The new keypair-name can be seen using the show crypto key mypubkey rsa command, but should be the FQDN  of the device.

I don't know if that process is officially supported or works in all circumstances, but I've stumbled across it has worked for me when renaming devices running SSH. Perhaps it will help you out. Your IOS must also support specifying the ssh rsa keypair-name as well. Not all of them do. SXI should from what I see.

-Vinny

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater
Sent: Monday, February 28, 2011 3:40 PM
To: Bill Blackford
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ssh Crypto key broke ??

I just added VRF interface SVI and still have old non-vrf SVI.

If there is a phantom key, that may have been introduced (name unknown), is there a way to see them in some kind of dump?


Jeff
On Feb 28, 2011, at 15:19 , Bill Blackford wrote:

> This could be way off base here, but if changing to a new VRF is 
> anything like changing a hostname, then you're require a reboot.
> 
> -b
> 
> 
> 
> On Mon, Feb 28, 2011 at 11:08 AM, Jeff Fitzwater <jfitz at princeton.edu> wrote:
>> Running 12.2.33-SXI3 on 6500
>> 
>> 
>> Config had one IP interface.
>> 
>> Also had SSH enabled with crypto key mod 1024 and all has been working for ever.
>> 
>> NOW COMES THE CHANGE....
>> 
>> 
>> Had to add new VRF interface.
>> 
>> Made VTY vrf-aware and added new IP to VTY ACL.
>> 
>> 
>> Initially I could SSH using new IP and OLD.
>> 
>> About an hour later SSH stopped working with log errors shown below.
>> 
>> 
>> 
>> SSH2 1: RSA_sign: private key not found
>> SSH2 1: signature creation failed, status -1
>> 
>> 
>> 
>> I cleared crypto keys but no luck.
>> Also cleared my local .ssh2 hostkeys.
>> 
>> Also see there is still crypto bug that truncates last character of key name leaving a phantom key.
>> 
>> -----
>> This is fix for bug, but it did not work either...
>> 
>> ---------  This was note from my CISCO rep.
>> 
>> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>> 
>> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>> 
>> switch-core1(config)#crypto key generate rsa general-keys label 
>> switch-core1.ox.co modulus 512 switch-core1(config)#crypto key 
>> zeroize rsa switch-core1.ox.co
>> 
>> and the phantom key will be gone.
>> 
>> ------------
>> 
>> 
>> 
>> 
>> Need help... any ideas???
>> 
>> 
>> 
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> 
> 
> --
> Bill Blackford
> Network Engineer
> 
> Logged into reality and abusing my sudo privileges.....


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list