Crypto Key Generate Rsa Command Not Available

Apr 19, 2011  Cisco Switching/Routing:: Cat6500 - Crypto Key Generate RSA Command Missing Feb 10, 2013. I recently rebuilt the configuration of our Cat6500 multilayer device for use as a user stack. The device is funtioning as it should be, but I am unable to set SSH using the 'crypto key generate rsa' command. The device is funtioning as it should be, but I am unable to set SSH using the 'crypto key generate rsa' command. The crytop command isn't avaiable at all, which suggests a firmware issue. I have configured a hostname and Ip domain-name and the image is the only one available. The show version output is. Jul 03, 2015  How to setup SSH on Catalyst 2950-S Series? Crypto key generate rsa. Ip ssh time-out 60. Ip ssh authentication-retries 2!- Step 4: By default the vtys' transport is Telnet. Existing version IOS doesn't support crypto command so I can not enable SSH until soft will be upgrade.

  1. You can generate a key with a command like this: crypto key generate ssh rsa. Optionally, use the 'bits' option after rsa to specify how big of a key you want. When you are typing these commands use the key to do auto-complete as well as to see the available options for the next part of the command.
  2. Feb 10, 2013  Cisco Switching/Routing:: Cat6500 - Crypto Key Generate RSA Command Missing Feb 10, 2013. I recently rebuilt the configuration of our Cat6500 multilayer device for use as a user stack. The device is funtioning as it should be, but I am unable to set SSH using the 'crypto key generate rsa' command.
  3. Lab Catalyst 3550 does not show Crypto Key generate command. Lab Catalyst 3550 does not show Crypto Key generate command. Hey guys and gals I am learning to Generate Encryption keys. I am trying to run the '(config)#crypto key generate rsa' command with no luck. The switch seems.

Last Updated on by

Implementing Network Security ( Version 2.0) – CCNAS Chapter 2 Exam Answers 2019 Full 100%

  1. An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.)

    • Configure the IP domain name on the router.
    • Enable inbound vty Telnet sessions.
    • Generate the SSH keys.
    • Configure DNS on the router.
    • Enable inbound vty SSH sessions.
    • Generate two-way pre-shared keys.
      Explanation:

      There are four steps to configure SSH support on a Cisco router:
      Step 1: Set the domain name.
      Step 2: Generate one-way secret keys.
      Step 3: Create a local username and password.
      Step 4: Enable SSH inbound on a vty line.

  2. Which set of commands are required to create a username of admin, hash the password using MD5, and force the router to access the internal username database when a user attempts to access the console?

    • R1(config)# username admin password Admin01pa55
      R1(config)# line con 0
      R1(config-line)# login local
    • R1(config)# username admin password Admin01pa55
      R1(config)# line con 0
      R1(config-line)# login
    • R1(config)# username admin Admin01pa55 encr md5
      R1(config)# line con 0
      R1(config-line)# login local
    • R1(config)# username admin secret Admin01pa55
      R1(config)# line con 0
      R1(config-line)# login local
    • R1(config)# username admin secret Admin01pa55
      R1(config)# line con 0
      R1(config-line)# login
      Explanation:
      To configure a user account with an encrypted password, the username secret command is used. The line con 0 command defines the console line as configured for login and the login local command tells the router to look in the local database for the user credentials.

  3. Refer to the exhibit. Which statement about the JR-Admin account is true?

    Implementing Network Security ( Version 2.0) – CCNAS Chapter 2 Exam Answers 2019 01

    • JR-Admin can issue show, ping, and reload commands.
    • JR-Admin can issue ping and reload commands.
    • JR-Admin can issue only ping commands.
    • JR-Admin can issue debug and reload commands.
    • JR-Admin cannot issue any command because the privilege level does not match one of those defined.
      Explanation:
      When the username name privilege 10 command is issued, access to commands with a privilege level of 10 or less (0-10) is permitted to the user.

  4. Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)

    • physical security
    • flash security
    • operating system security
    • remote access security
    • router hardening
    • zone isolation
      Explanation:

      There are three areas of router security to maintain:
      1) physical security
      2) router hardening
      3) operating system security

  5. What is the default privilege level of user accounts created on Cisco routers?

    • 0
    • 1
    • 15
    • 16
      Explanation:
      There are 16 privilege levels that can be configured as part of the username command, ranging from 0 to 15. By default, if no level is specified, the account will have privilege level 1,

  6. Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode?

    • Keep a secure copy of the router Cisco IOS image and router configuration file as a backup.
    • Disable all unused ports and interfaces to reduce the number of ways that the router can be accessed.
    • Configure secure administrative control to ensure that only authorized personnel can access the router.
    • Locate the router in a secure locked room that is accessible only to authorized personnel.
    • Provision the router with the maximum amount of memory possible.
      Explanation:

      Of the three areas of router security, physical security, router hardening, and operating system security, physical security involves locating the router in a secure room accessible only to authorized personnel who can perform password recovery.

  7. Refer to the exhibit. Based on the output of the show running-config command, which type of view is SUPPORT?

    Implementing Network Security ( Version 2.0) – CCNAS Chapter 2 Exam Answers 2019 02

    • secret view, with a level 5 encrypted password
    • root view, with a level 5 encrypted secret password
    • superview, containing SHOWVIEW and VERIFYVIEW views
    • CLI view, containing SHOWVIEW and VERIFYVIEW commands
      Explanation:

      The superview role-based CLI view named SUPPORT has been configured on the router. The SUPPORT suerview consists of two CLI views called SHOWVIEW and VERIFYVIEW.

  8. Which two characteristics apply to role-based CLI access superviews? (Choose two.)

    • CLI views have passwords, but superviews do not have passwords.
    • Users logged in to a superview can access all commands specified within the associated CLI views.
    • A single superview can be shared among multiple CLI views.
    • A specific superview cannot have commands added to it directly.
    • Deleting a superview deletes all associated CLI views.
      Explanation:

      By using a superview an administrator can assign users or groups of users to CLI views which contain a specific set of commands those users can access. Commands cannot be added directly to a superview but rather must be added to a CLI view and the CLI view added to the superview.

  9. Which three types of views are available when configuring the role-based CLI access feature? (Choose three.)

    • superuser view
    • root view
    • superview
    • CLI view
    • admin view
    • config view
      Explanation:

      There are three types of Role-based CLI views:

      1) root view
      2) CLI view
      3) superview

  10. If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.)

    • Assign a secret password to the view.
    • Assign commands to the view.
    • Assign users who can use the view.
    • Associate the view with the root view.
    • Create a superview using the parser view view-name command.
    • Create a view using the parser view view-name command.
      Explanation:

      There are five steps involved to create a view on a Cisco router.
      1) AAA must be enabled.
      2) the view must be created.
      3) a secret password must be assigned to the view.
      4) commands must be assigned to the view.
      5) view configuration mode must be exited.

  11. What occurs after RSA keys are generated on a Cisco router to prepare for secure device management?

    • All vty ports are automatically configured for SSH to provide secure management.
    • The general-purpose key size must be specified for authentication with the crypto key generate rsa general-keys modulus command.
    • The keys must be zeroized to reset Secure Shell before configuring other parameters.
    • The generated keys can be used by SSH.
      Explanation:

      Once RSA keys are generated, SSH is automatically enabled.

  12. Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)

    • There is no access control to specific interfaces on a router.
    • The root user must be assigned to each privilege level that is defined.
    • Commands set on a higher privilege level are not available for lower privilege users.
    • Views are required to define the CLI commands that each user can access.
    • Creating a user account that needs access to most but not all commands can be a tedious process.
    • It is required that all 16 privilege levels be defined, whether they are used or not.
      Explanation:

      An administrator can create customized privilege levels and assign different commands to each level. However, this method of controlling he level of access to the router has limitations. Using privilege levels access to specific interfaces or ports cannot be controlled and availability of commands cannot be customized across levels.

  13. What command must be issued to enable login enhancements on a Cisco router?

    • login block-for
    • banner motd
    • login delay
    • privilege exec level
      Explanation:

      Cisco IOS login enhancements can increase the security for virtual login connections to a router. Although login delay is a login enhancement command, all login enhancements are disabled until the login block-for command is configured.

  14. A network administrator notices that unsuccessful login attempts have caused a router to enter quiet mode. How can the administrator maintain remote access to the networks even during quiet mode?

    • Quiet mode behavior will only prevent specific user accounts from attempting to authenticate.
    • Quiet mode behavior can be disabled by an administrator by using SSH to connect.
    • Quiet mode behavior can be overridden for specific networks by using an ACL.
    • Quiet mode behavior can be enabled via an ip access-group command on a physical interface.
      Explanation:
      Quiet mode prevents any further login attempts for a period of time. Quiet mode is enabled via the login quiet-mode access-class command. Quiet mode behavior can be overridden for specific networks by building and implementing an access control list (ACL).

  15. What is a characteristic of the Cisco IOS Resilient Configuration feature?​

    • It maintains a secure working copy of the bootstrap startup program.
    • The secure boot-image command works properly when the system is configured to run an image from a TFTP server.​
    • Once issued, the secure boot-config command automatically upgrades the configuration archive to a newer version after new configuration commands have been entered.
    • A snapshot of the router running configuration can be taken and securely archived in persistent storage.
      Explanation:
      The Cisco IOS Resilient Configuration feature maintains a secure working copy of the router IOS image file and a copy of the running configuration file. The secure boot-image command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. The secure boot-config command has to be used repeatedly to upgrade the configuration archive to a newer version after new configuration commands have been issued. A snapshot of the router running configuration can be taken and securely archived in persistent storage using the secure boot-config command.​

  16. What is a requirement to use the Secure Copy Protocol feature?

    • The Telnet protocol has to be configured on the SCP server side.
    • A transfer can only originate from SCP clients that are routers.
    • At least one user with privilege level 1 has to be configured for local authentication.
    • A command must be issued to enable the SCP server side functionality.
      Explanation:
      The Secure Copy Protocol feature relies on SSH and requires that AAA authentication and authorization be configured so that the router can determine whether the user has the correct privilege level. For local authentication, at least one user with privilege level 15 has to be configured. Transfers can originate from any SCP client whether that client is another router, switch, or workstation. The ip scp server enable command has to be issued to enable the SCP server side functionality.​

  17. What is a characteristic of the MIB?

    • Information is organized in a flat manner so that SNMP can access it quickly.
    • The OIDs are organized in a hierarchical structure.
    • A separate MIB tree exists for any given device in the network.​
    • Information in the MIB cannot be changed.
      Explanation:

      SNMP set, get, and trap messages are used to access and manipulate the information contained in the MIB. This information is organized hierarchically so that SNMP can access it quickly. Each piece of information within the MIB is given an object ID (OID), that is organized based on RFC standards into a hierarchy of OIDs. The MIB tree for any given device includes branches with variables common to many networking devices and branches with variables specific to that device or vendor.​

  18. Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.)

    • content of a security banner
    • interfaces to enable
    • enable secret password
    • enable password
    • IP addresses of interfaces
    • services to disable
      Explanation:

      During AutoSecure setup, the following steps occur:

      – The auto secure command is entered.
      – The wizard gathers information about the outside interfaces.
      – AutoSecure secures the management place by disabling unnecessary services.
      – AutoSecure prompts for a security banner.
      – AutoSecure prompts for passwords and enables password and login features.
      – Interfaces are secured.
      – The forwarding plane is secured.

  19. A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.)​

    • ip ospf message-digest-key 1 md5 1A2b3C ​
    • area 1 authentication message-digest
    • username OSPF password 1A2b3C
    • enable password 1A2b3C
    • area 0 authentication message-digest
      Explanation:
      The two commands that are necessary to configure authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area (Area 0) of the company network would be ip ospf message-digest-key 1 md5 1A2b3C and area 0 authentication message-digest. The option area 1 authentication message-digest is incorrect because it refers to Area 1, not Area 0. The option enable password 1A2b3C is incorrect because it would set the privileged EXEC mode password instead of the OSPF authentication password. The option username OSPF password 1A2b3C is required to create a username database in a router, which is not required with OSPF authentication.​

  20. What is the purpose of using the ip ospf message-digest-key key md5 password command and the area area-id authentication message-digest command on a router?​

    • to encrypt OSPF routing updates​
    • to enable OSPF MD5 authentication on a per-interface basis​
    • to configure OSPF MD5 authentication globally on the router​
    • to facilitate the establishment of neighbor adjacencies
      Explanation:
      To configure OSPF MD5 authentication globally, the ip ospf message-digest-keykeymd5password interface configuration command and the areaarea-id authentication message-digest router configuration command are issued. To configure OSPF MD5 authentication per interface, the ip ospf message-digest-keykeymd5password interface configuration command and the ip ospf authentication message-digest interface configuration command are issued. Authentication does not encrypt OSPF routing updates. The requirements to establish OSPF router neighbor adjacencies are separate from authentication.​

  21. What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.)​

    • to ensure more efficient routing
    • to ensure faster network convergence
    • to provide data security through encryption
    • to prevent data traffic from being redirected and then discarded
    • to prevent redirection of data traffic to an insecure link
      Explanation:

      The reason to configure OSPF authentication is to mitigate against routing protocol attacks like redirection of data traffic to an insecure link, and redirection of data traffic to discard it. OSPF authentication does not provide faster network convergence, more efficient routing, or encryption of data traffic.​

  22. What is the Control Plane Policing (CoPP) feature designed to accomplish?

    • manage services provided by the control plane
    • prevent unnecessary traffic from overwhelming the route processor
    • disable control plane services to reduce overall traffic
    • direct all excess traffic away from the route processor
      Explanation:

      Control Plane Policing (CoPP) does not manage or disable any services. It does not direct traffic away from the route processor, but rather it prevents unnecessary traffic from getting to the route processor.

  23. Which two options can be configured by Cisco AutoSecure? (Choose two.)

    • enable secret password
    • SNMP
    • syslog
    • security banner
    • interface IP address
      Explanation:

      AutoSecure executes a script that first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router. AutoSecure can lock down the management plane functions and the forwarding plane services and functions of a router, and this includes setting an enable password, and a security banner.

  24. Which three functions are provided by the syslog logging service? (Choose three.)

    • authenticating and encrypting data sent over the network
    • gathering logging information
    • specifying where captured information is stored
    • setting the size of the logging buffer
    • distinguishing between information to be captured and information to be ignored
    • retaining captured messages on the router when a router is rebooted
      Explanation:

      Syslog operations include gathering information, selecting which type of information to capture, and directing the captured information to a storage location. The logging service stores messages in a logging buffer that is time-limited, and cannot retain the information when a router is rebooted. Syslog does not authenticate or encrypt messages.

  25. Which three actions are produced by adding Cisco IOS login enhancements to the router login process? (Choose three.)

    • permit only secure console access
    • slow down an active attack
    • create syslog messages
    • create password authentication
    • automatically provide AAA authentication
    • disable logins from specified hosts
      Explanation:

      Cisco IOS login enhancements provide increased security in three ways:Implement delays between successive login attempts
      Enable login shutdown if DoS attacks are suspected
      Generate system-logging messages for login detection
      Banners and password authentication are disabled by default and must be enabled by command. Virtual login enhancements do not apply to console connections.

Contents

Introduction

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.

This document discusses how to configure and debug SSH on Cisco routers or switches that run a version of Cisco IOS® Software that supports SSH. This document contains more information on specific versions and software images.

Prerequisites

Requirements

The Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-tar.122-35.SE5.tar is a k9 (crypto) image.

Components Used

The information in this document is based on Cisco IOS 3600 Software (C3640-IK9S-M), Release 12.2(2)T1.

SSH was introduced into these Cisco IOS platforms and images:

  • SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S.

  • SSH client was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1.3.T.

  • SSH terminal-line access (also known as reverse-Telnet) was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.2.2.T.

  • SSH Version 2.0 (SSH v2) support was introduced in some Cisco IOS platforms and images starting in Cisco IOS Software Release 12.1(19)E.

  • Refer to How to Configure SSH on Catalyst Switches Running CatOS for more information on SSH support in the switches.

Refer to the Software Advisor (registered customers only) for a complete list of feature sets supported in different Cisco IOS Software releases and on different platforms.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are in a live network, make sure that you understand the potential impact of any command before you use it.

Conventions

Available

Refer to Cisco Technical Tips Conventions for more information on document conventions.

SSH v1 vs. SSH v2

Use the Cisco Software Advisor (registered customers only) in order to help you find the version of code with appropriate support for either SSH v1 or SSH v2.

Network Diagram

Test Authentication

Crypto Key Generate Rsa Ssh

Authentication Test without SSH

First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username 'cisco' and password 'cisco.'

Authentication Test with SSH

In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on Carter and test SSH from the PC and UNIX stations.

At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH configuration, test your ability to access the router from the PC and UNIX station. If this does not work, see the debug section of this document.

Optional Configuration Settings

Prevent Non-SSH Connections

If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.

Test to make sure that non-SSH users cannot Telnet to the router Carter.

Set Up an IOS Router or Switch as SSH Client

There are four steps required to enable SSH support on a Cisco IOS router:

  1. Configure the hostname command.

  2. Configure the DNS domain.

  3. Generate the SSH key to be used.

  4. Enable SSH transport support for the virtual type terminal (vtys).

If you want to have one device act as an SSH client to the other, you can add SSH to a second device called Reed. These devices are then in a client-server arrangement, where Carter acts as the server, and Reed acts as the client. The Cisco IOS SSH client configuration on Reed is the same as required for the SSH server configuration on Carter.

Issue this command to SSH from the Cisco IOS SSH client (Reed) to the Cisco IOS SSH server (Carter) in order to test this:

  • SSH v1:

  • SSH v2:

Setup an IOS Router as an SSH server that performs RSA based User Authentication

Complete these steps in order to configure the SSH server to perform RSA based authentication.

  1. Specify the Host name.

  2. Define a default domain name.

  3. Generate RSA key pairs.

  4. Configure SSH-RSA keys for user and server authentication.

  5. Configure the SSH username.

  6. Specify the RSA public key of the remote peer.

  7. Specify the SSH key type and version. (optional)

  8. Exit the current mode and return to privileged EXEC mode.

    Note: Refer to Secure Shell Version 2 Support for more information.

Add SSH Terminal-Line Access

If you need outbound SSH terminal-line authentication, you can configure and test SSH for outbound reverse Telnets through Carter, which acts as a comm server to Philly.

If Philly is attached to Carter's port 2, then you can configure SSH to Philly through Carter from Reed with the help of this command:

  • SSH v1:

  • SSH v2:

You can use this command from Solaris:

Restrict SSH access to a subnet

You need to limit SSH connectivity to a specific subnetwork where all other SSH attempts from IPs outside the subnetwork should be dropped.

You can use these steps to accomplish the same:

  1. Define an access-list that permits the traffic from that specific subnetwork.

  2. Restrict access to the VTY line interface with an access-class.

This is an example configuration. In this example only SSH access to the 10.10.10.0 255.255.255.0 subnet is permitted, any other is denied access.

Note: The same procedure to lock down the SSH access is also applicable on switch platforms.

Configure the SSH Version

Configure SSH v1:

Configure SSH v2:

Configure SSH v1 and v2:

Note: You receive this error message when you use SSHv1:

Note: Cisco bug ID CSCsu51740 (registered customers only) is filed for this issue. Workaround is to configure SSHv2.

Variations on banner Command Output

The banner command output varies between the Telnet and different versions of SSH connections. This table illustrates how different banner command options work with various types of connections.

Banner Command Option Telnet SSH v1 only SSH v1 and v2 SSH v2 only
banner login Displayed before logging into the device. Not displayed. Displayed before logging into the device. Displayed before logging into the device.
banner motd Displayed before logging into the device. Displayed after logging into the device. Displayed after logging into the device. Displayed after logging into the device.
banner exec Displayed after logging into the device. Displayed after logging into the device. Displayed after logging into the device. Displayed after logging into the device.

Unable to Display the Login Banner

SSH version 2 supports the login banner. The login banner is displayed if the SSH client sends the username when it initiates the SSH session with the Cisco router. For example, when the Secure Shell ssh client is used, the login banner is displayed. When the PuTTY ssh client is used, the login banner is not displayed. This is because Secure Shell sends the username by default and PuTTY does not send the username by default.

The Secure Shell client needs the username to initiate the connection to the SSH enabled device. The Connect button is not enabled if you do not enter the host name and username. This screenshot shows that the login banner is displayed when Secure Shell connects to the router. Then, the login banner password prompt displays.

The PuTTY client does not require the username to initiate the SSH connection to the router. This screenshot shows that the PuTTY client connects to the router and prompts for the username and password. It does not display the login banner.

This screen shot shows that the login banner is displayed when PuTTY is configured to send the username to the router.

debug and show Commands

Before you issue the debug commands described and illustrated here, refer to Important Information on Debug Commands. Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

  • debug ip ssh—Displays debug messages for SSH.

  • show ssh—Displays the status of SSH server connections.

  • show ip ssh—Displays the version and configuration data for SSH.

    • Version 1 Connection and no Version 2

    • Version 2 Connection and no Version 1

    • Version 1 and Version 2 Connections

Sample Debug Output

Router Debug

Note: Some of this good debug output is wrapped to multiple lines because of spatial considerations.

Server Debug

Note: This output was captured on a Solaris machine.

What can go Wrong

These sections have sample debug output from several incorrect configurations.

SSH From an SSH Client Not Compiled with Data Encryption Standard (DES)

Solaris Debug

Router Debug

Crypto Key Generate Rsa Command Not Available Free

Bad Password

Router Debug

SSH Client Sends Unsupported (Blowfish) Cipher

Router Debug

Geting the '%SSH-3-PRIVATEKEY: Unable to retrieve RSA private key for' Error

If you receive this error message, it may be caused due to any change in the domain name or host name. In order to resolve this, try these workarounds.

  • Zeroize the RSA keys and re-generate the keys.

  • If the previous workaround does not work, try these steps:

    1. Zeroize all RSA keys.

    2. Reload the device.

    3. Create new labeled keys for SSH.

Cisco bug ID CSCsa83601 (registered customers only) has been filed to address this behaviour.

Troubleshooting Tips

Key

  • If your SSH configuration commands are rejected as illegal commands, you have not successfully generated a RSA key pair for your router. Make sure you have specified a host name and domain. Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server.

  • When you configure the RSA key pair, you might encounter these error messages:

    1. No hostname specified

      You must configure a host name for the router using the hostname global configuration command.

    2. No domain specified

      You must configure a host domain for the router using the ip domain-name global configuration command.

  • The number of allowable SSH connections is limited to the maximum number of vtys configured for the router. Each SSH connection uses a vty resource.

  • SSH uses either local security or the security protocol that is configured through AAA on your router for user authentication. When you configure AAA, you must ensure that the console is not running under AAA by applying a keyword in the global configuration mode to disable AAA on the console.

  • No SSH server connections running.

    This output suggests that the SSH server is disabled or not enabled properly. If you have already configured SSH, it is recommended that you reconfigure the SSH server in the device. Complete these steps in order to reconfigure SSH server on the device.

    1. Delete the RSA key pair. After the RSA key pair is deleted, the SSH server is automatically disabled.

      Note: It is important to generate a key-pair with at least 768 as bit size when you enable SSH v2.

      Caution: This command cannot be undone after you save your configuration, and after RSA keys have been deleted, you cannot use certificates or the CA or participate in certificate exchanges with other IP Security (IPSec) peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again.Refer to crypto key zeroize rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on this command.

    2. Reconfigure the hostname and domain name of the device.

    3. Generate an RSA key pair for your router, which automatically enables SSH.

      Refer to crypto key generate rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.

      Note: You can receive the SSH2 0: Unexpected mesg type received error message due to a packet received that is not understandable by the router. Increase the key length while you generate rsa keys for ssh in order to resolve this issue.

    4. Configure SSH server. In order to enable and configure a Cisco router/switch for SSH server, you can configure SSH parameters. If you do not configure SSH parameters, the default values are used.

      ip ssh {[timeout seconds] [authentication-retries integer]}

      Refer to ip ssh - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.

Related Information