SSH key error on Cisco devices

I'm using Rancid's clogin in a script to periodically retrieve the configs from Cisco switches/firewalls. On one of the switches I have a problem connecting with clogin via ssh. Even though I generated a key larger than 768 bits when I try to connect it gives this error:

ssh -c 3des -x -l user 192.168.1.1
ssh_rsa_verify: RSA modulus too small: 512 <
minimum 768 bitskey_verify failed for server_host_keyError: Couldn't login: 192.168.1.1

Normally this would mean that the key on the device is smaller that 768 bits. To generate a key on an IOS (in this case a Catalyst switch) you would use:

crypto key generate rsa general-keys modulus 1024

Like I said, even though I have a 1024-bit key, openssh was unable to connect, giving the error above. One solution which seems to solve this problem would be to force SSH globally on the system to use version 1 for the specific host with the problem. To do this, create a ~/.ssh/config file:

Host 192.168.1.1
Protocol 1

Also, clogin gives you the possibility to replace the ssh command using a statement in ~/.cloginrc:

add sshcmd * /path/ssh_replacement

You could put in this ssh_replacement something like (-1 to use SSH v1):

ssh -1 $1 $2 $3 $4 $5 $6

 

Comments

1 Response to " SSH key error on Cisco devices "

Dron said... September 4, 2012 at 6:47 PM

add cyphertype 10.100.0.X des -1

Post a Comment

Follow by Email

Sponsored Links

Labels