• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1865
  • Last Modified:

SSH disabled. Unable to create SSH Key Pair

Nov 15 12:18:44.798 GMT: %SYS-5-CONFIG_I: Configured from console by user on console
Nov 15 12:22:49.840 GMT: %SYS-5-CONFIG_I: Configured from console by user on console
Nov 15 12:25:50.690 GMT: %SYS-5-CONFIG_I: Configured from console by user on console
Nov 15 12:40:06.360 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 12:43:17.490 GMT: SSH: Generated key secret.com is not for SSH. Ignoring.
Nov 15 12:43:21.782 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 12:48:08.528 GMT: SSH: Generated key secret.com is not for SSH. Ignoring.
Nov 15 12:48:12.544 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 12:53:12.042 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 12:53:45.487 GMT: SSH: Generated key secret.com is not for SSH. Ignoring.
Nov 15 12:53:47.195 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 12:55:46.816 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 12:58:50.325 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 13:00:31.046 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 13:03:28.647 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 13:06:00.088 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 13:07:04.021 GMT: SSH: Generated key secret.com is not for SSH. Ignoring.
Nov 15 13:07:38.329 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 13:14:40.476 GMT: %SYS-5-CONFIG_I: Configured from console by user on vty1 (192.168.0.1)
Nov 15 13:15:39.961 GMT: SSH: Generated key secret.com is not for SSH. Ignoring.
0
Shabib786
Asked:
Shabib786
1 Solution
 
Don JohnstonInstructorCommented:
Can you post your config?
0
 
tibble2Commented:
Are you using the following:

crypto key generate rsa

to generate your SSH key and how many bits are you using fro encryption?
0
 
larsgaCommented:
What exactly are you trying to do? sshv1 or sshv2?

Cisco documentation for configuring ssh is at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_secure_shell_ps6441_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_secure_shell_v2_ps6441_TSD_Products_Configuration_Guide_Chapter.html

My guess is that you are trying to use ssh2, but have not configured a key with sufficient length. "crypto key generate rsa encryption modulus 1024 "
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Shabib786Author Commented:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname siterouter
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-15.T4.bin
boot-end-marker
!
logging buffered 128000
no logging console
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain list hq.secret.com
ip domain list secret.com
ip domain name secret.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username local secret 5 <removed>
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 12
ip telnet source-interface Loopback0
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh rsa keypair-name secret.com
!
!
!
!
!
!
interface Loopback0
 description *** Local Management Loopback ***
 ip address 10.0.0.1 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface FastEthernet0/0
 ip address 192.168.0.6 255.255.255.252
 duplex full
 speed 10
!
interface FastEthernet0/1
 ip address 192.168.1.6 255.255.255.248
 duplex full
 speed 100
!
!
!
no ip http server
no ip http secure-server
ip tacacs source-interface Loopback0
!
!
control-plane
!
!

^C
!
line con 0
 session-timeout 15
 exec-timeout 15 0
 password 7 <removed>
line aux 0
line vty 0 4
 session-timeout 15
 exec-timeout 15 0
 password 7 <removed>
 logging synchronous
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 session-timeout 15
 exec-timeout 15 0
 password 7 <removed>
 logging synchronous
 transport input ssh
 transport output telnet ssh
!

end
0
 
tibble2Commented:
can you run the Show cry key command ?
0
 
tibble2Commented:
Please could you review  the settings you have for SSH? Each time you tried to generate a SSH key it  failed. The Router ignored the Key Pair as SSH was disabled. You can see that  clearly from the log.

You have successfully  created an RSA Key but not for SSH.

So you need to enable  it using the following commands:
 
First check status  using sh ip ssh.
 
Then the following  commands should resolve the issue:
ip domain-name  <your FQDN>
crypto key zeroize  rsa
crypto key generate  rsa
ip ssh time-out  120
ip ssh  authentication-retries 3
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now