Why can't I enable SSHv2 on my Cisco 3750X?

Question

It seemed simple enough: use ip ssh version 2.

This was the result:

3750xCoreStack(config)#ip ssh version 2
Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).

3750xCoreStack(config)#cry key gen rsa
% You already have RSA keys defined named 3750xCoreStack
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 65 seconds)


3750xCoreStack(config)#ip ssh version 2
Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2). 
3750xCoreStack(config)#

So, I definitely have a 2048-bit RSA key, but it tells me that I need one in order to enable SSH. SSHv1 is presently working. Software is

Cisco IOS Software, C3750E Software (C3750E-IPBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE (fc1)

Any thoughts?

Try telling it _which_ key to use: `ip ssh rsa keypair-name 3750xCoreStack` And remember that after you enable version 2 successfully you need to change all your passwords; version 1 is insecure and broken and your passwords should be treated as compromised. — Michael Hampton, Feb 04 '15 at 16:02
In addition to what Michael said, I think you need to have ip domain-name set on the router, it's listed as a step in various configuring ssh on cisco documents — Dan, Feb 04 '15 at 18:33

score 1 · Accepted Answer · answered Feb 05 '15 at 15:16

Thanks to both @Michael Hampton and @Dan for important pieces of information. The ip domain-name was already set, but when I enabled SSH by using the keypair name, that worked properly.

So, in short: if your router has RSA keys generated, but won't enable SSHv2, enable SSH with the name of the RSA keys, like so:

ip ssh rsa keypair-name <name>

and then

no ip ssh version 1

Thankfully, this was a lab setup so no SSHv1 traffic was publicly sent, and no actual passwords were used, so mitigation from using a bad SSH version was minimal.

score 1 · Answer 2 · edited Nov 14 '15 at 16:17

1

I had the same problem with a 3560, I just deleted the key and recreated and it worked...

Delete the RSA key pair.
After the RSA key pair is deleted, the SSH server is automatically disabled.

carter(config)# crypto key zeroize rsa

I hope it helps!

edited Nov 14 '15 at 16:17

chicks

3,793
10
27
36

answered Nov 13 '15 at 17:57

Marcio

11
1

FYI, This solved my problem on a misbehaving C2960S which I had already tried regenerating RSA keys (but I didn't zeroize before regenerating the key). Zeroizing the RSA key did the trick – Mike Pennington Aug 12 '16 at 13:33

Why can't I enable SSHv2 on my Cisco 3750X?

2 Answers2