Can I regenerate the rsa key for SSH access to a Cisco router? Or should I completely erase the SSH config?
Solution 1
Run show crypto key mypubkey rsa
to see if you do, in fact, have a key fully generated and registered under a non-default name. If there is, then you can tell the ssh process to use this key with ip ssh rsa keypair-name xxx
. If the first command doesn't show anything useful then I'd say you can go ahead and generate a new key.
You don't list your complete ssh configuration, so it's hard to know what to remove. Try sh run | inc ssh
to see what's in there. In general ssh will start to work as soon as the process has a valid key. Remember that you may need to add authentication and, possibly, vty configuration if they aren't in place.
Solution 2
You could clear the previous key with the following command.
cisco(config)# crypto key zeroize rsa
Then sanitise the vty lines.
Simple SSH Config
cisco(config)# hostname <name>
cisco(config)# ip domain-name <domain>
cisco(config)# crypto key generate rsa
cisco(config)# ip ssh version 2
Related videos on Youtube
JoshP
Updated on September 18, 2022Comments
-
JoshP over 1 year
I have a production 2691 that I administer via telnet. I'd like to change that to SSH. Looking at the config, it looks like there have been keys generated in the past. I think the history here is SSH was set up, they had issues connecting, and fell back to telnet.
There are a number of
crypto
entries, including the following:crypto pki trustpoint Gateway-2691.xxx.com enrollment selfsigned subject-name cn=IOS-Gateway-2691.xxx.com revocation-check none rsakeypair Gateway-2691.xxx.com
I've also got this going...
Gateway-2691#sh ip ssh SSH Disabled - version 1.99 %Please create RSA keys (of atleast 768 bits size) to enable SSH v2. Authentication timeout: 120 secs; Authentication retries: 3 Gateway-2691#
My question is simply, can I run
crypto key generate rsa
again to set it up again?Is there a way to negate or
no
all of the previous ssh config so that I can start fresh there?I may be asking the wrong questions, as I'm learning here. As for the SSH how-to, I'm sure I can find information in many places. I'm just basically wondering if I need to start fresh, or if I can pick up where the last attempt at SSH config left off.
-
JoshP over 11 yearsThanks very much for your help. Nothing showed up running your
show
cmd there, so I created a new key.ssh
up and running now :)