Proper steps to Enable SSH on 21.1.3.7 or higher XOS

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
was trying to enable SSH on XOS device having 21.1.3.7 image
did the following steps

ena ssh <-- OK

generated a private key..  <-- OK

i want to have a SSH session via putty or teraterm <-- connection refused
i want to enable https <-- will not allow

what are the proper steps to generate the required keys and certificate and import them so that this freakin SSL/SSH related thing will start to work

can someone please guide to correct steps, like importing PEM or copy from PEM file and pasting it in the console, how can i get a SSL certificate,
is SSHD2 required also for putty SSH connection ?
Photo of Arjumand Qazi

Arjumand Qazi

  • 958 Points 500 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Mel78, CISSP, ECE

Mel78, CISSP, ECE

  • 1,044 Points 1k badge 2x thumb
(Edited)
Photo of Arjumand Qazi

Arjumand Qazi

  • 958 Points 500 badge 2x thumb
i have already used this step, but i don't know about that content/key which is to be copied from some certificate sitting somewhere in the switch which i couldn't locate... where is that certificate with PEM extension?
i can't find that key which will eventually be used to create the ssl cert.
Photo of Arjumand Qazi

Arjumand Qazi

  • 958 Points 500 badge 2x thumb
X460G2-24t-G4.7 # conf ssl privkey pregenerated ?
  <cr>            Execute the command
X460G2-24t-G4.7 # conf ssl privkey pregenerated
Paste private key in Privacy Enhanced Mail (PEM) format.
Enter blank line for end of private key.
2d:2d:2d:2d:2d:42:45:47:49:4e:20:52:53:41:20:50:52:49:56:41:54:45:20:4b:45:59:2

Error: Error validating private key
X460G2-24t-G4.8 #
Photo of Arjumand Qazi

Arjumand Qazi

  • 958 Points 500 badge 2x thumb
thats what happening from the morning. i dont know what content is to be pasted here..i copied from SSH2 private-key which is a long Hex string..
it will not accept and you can see the Error
Photo of Mel78, CISSP, ECE

Mel78, CISSP, ECE

  • 1,044 Points 1k badge 2x thumb

that is not a proper PEM format key.

Refer here for the correct format.

http://how2ssl.com/articles/working_with_pem_files/

Photo of Arjumand Qazi

Arjumand Qazi

  • 958 Points 500 badge 2x thumb
thanks Wong,
so its should be the client side to provide me with proper digital certificate in which is generally a PEM file ?
i see no command in XOS which are generate that certificate which will have that proper key.
or is there a way to generate a free certificate ?
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,608 Points 10k badge 2x thumb
Can you get the output of 'show management' and paste it here?
Photo of Arjumand Qazi

Arjumand Qazi

  • 958 Points 500 badge 2x thumb
sh man
CLI idle timeout                 : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions       : 8
CLI paging                       : Enabled (this session only)
CLI space-completion             : Disabled (this session only)
CLI configuration logging        : Disabled
CLI password prompting only      : Disabled
CLI RADIUS cmd authorize tokens  : 2
CLI scripting                    : Disabled (this session only)
CLI scripting error mode         : Ignore-Error (this session only)
CLI persistent mode              : Persistent (this session only)
CLI prompting                    : Enabled (this session only)
CLI screen size                  : 24 Lines 80 Columns (this session only)
CLI refresh                      : Enabled
Telnet access                    : Enabled (tcp port 23 vr all)
                                 : Access Profile : not set
SSH access                       : Enabled (Key valid, tcp port 22 vr all)
                                 : Secure-Mode    : Off
                                 : Access Profile : not set
SSH2 idle time                   : 60 minutes
Web access                       : Enabled (tcp port 80)
                                 : Access Profile : not set
Total Read Only Communities      : 1
Total Read Write Communities     : 1
RMON                             : Disabled
SNMP access                      : Enabled
                                 : Access Profile : not set
SNMP Compatibility Options       :
    GETBULK Reply Too Big Action : Too Big Error
    IP Fragmentation             : Disallow
SNMP Notifications               : Enabled
SNMP Notification Receivers  : None
SNMP stats:     InPkts 0       OutPkts   0       Errors 0       AuthErrors 0
                Gets   0       GetNexts  0       Sets   0       Drops      0
SNMP traps:     Sent   0       AuthTraps Enabled
SNMP inform:    Sent   0       Retries   0       Failed 0
X460G2-24t-G4.8 #
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,608 Points 10k badge 2x thumb
It looks like SSH is enabled and has a valid key. Does it let you try to log in and then reject you? Or reject before you can put in your password?