[c-nsp] ssh Crypto key broke ??

Mon Feb 28 17:00:46 EST 2011

If there is a phantom key you can't see it using that the command "show crypto key mypubkey rsa"

No matter what I do I cant build a key that works.

I'll open TAC case to see if they can see phantom key in tech dump.

Jeff
On Feb 28, 2011, at 16:51 , Vinny_Abello at Dell.com wrote:

> show crypto key mypubkey rsa
> 
> Also, I have found you can change the hostname if you specify the new keypair-name using:
> 
> ip ssh rsa keypair-name <keypair-name>
> 
> Just be sure to do this after changing the hostname or domain suffix but BEFORE you disconnect. Otherwise new SSH connections will be broken. Test it of course prior to disconnecting your working session. :) The new keypair-name can be seen using the show crypto key mypubkey rsa command, but should be the FQDN  of the device.
> 
> I don't know if that process is officially supported or works in all circumstances, but I've stumbled across it has worked for me when renaming devices running SSH. Perhaps it will help you out. Your IOS must also support specifying the ssh rsa keypair-name as well. Not all of them do. SXI should from what I see.
> 
> -Vinny
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater
> Sent: Monday, February 28, 2011 3:40 PM
> To: Bill Blackford
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ssh Crypto key broke ??
> 
> I just added VRF interface SVI and still have old non-vrf SVI.
> 
> If there is a phantom key, that may have been introduced (name unknown), is there a way to see them in some kind of dump?
> 
> 
> Jeff
> On Feb 28, 2011, at 15:19 , Bill Blackford wrote:
> 
>> This could be way off base here, but if changing to a new VRF is 
>> anything like changing a hostname, then you're require a reboot.
>> 
>> -b
>> 
>> 
>> 
>> On Mon, Feb 28, 2011 at 11:08 AM, Jeff Fitzwater <jfitz at princeton.edu> wrote:
>>> Running 12.2.33-SXI3 on 6500
>>> 
>>> 
>>> Config had one IP interface.
>>> 
>>> Also had SSH enabled with crypto key mod 1024 and all has been working for ever.
>>> 
>>> NOW COMES THE CHANGE....
>>> 
>>> 
>>> Had to add new VRF interface.
>>> 
>>> Made VTY vrf-aware and added new IP to VTY ACL.
>>> 
>>> 
>>> Initially I could SSH using new IP and OLD.
>>> 
>>> About an hour later SSH stopped working with log errors shown below.
>>> 
>>> 
>>> 
>>> SSH2 1: RSA_sign: private key not found
>>> SSH2 1: signature creation failed, status -1
>>> 
>>> 
>>> 
>>> I cleared crypto keys but no luck.
>>> Also cleared my local .ssh2 hostkeys.
>>> 
>>> Also see there is still crypto bug that truncates last character of key name leaving a phantom key.
>>> 
>>> -----
>>> This is fix for bug, but it did not work either...
>>> 
>>> ---------  This was note from my CISCO rep.
>>> 
>>> For example, our switch was named "switch-core1" with a domain of "ox.com". The fqdn was "switch-core1.ox.com". After the upgrade, the hidden corrupted key was labeled "switch-core1.ox.co".
>>> 
>>> The solution is to create a key with the bad label that will overwrite the phantom, then delete it:
>>> 
>>> switch-core1(config)#crypto key generate rsa general-keys label 
>>> switch-core1.ox.co modulus 512 switch-core1(config)#crypto key 
>>> zeroize rsa switch-core1.ox.co
>>> 
>>> and the phantom key will be gone.
>>> 
>>> ------------
>>> 
>>> 
>>> 
>>> 
>>> Need help... any ideas???
>>> 
>>> 
>>> 
>>> Jeff Fitzwater
>>> OIT Network Systems
>>> Princeton University
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>> 
>> 
>> 
>> --
>> Bill Blackford
>> Network Engineer
>> 
>> Logged into reality and abusing my sudo privileges.....
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/