Learn how to resolve the “SSH Server Public Key Too Small” vulnerability on Cisco MDS switches. This tutorial walks you through verifying the current RSA key size, disabling SSH, generating a new 2048-bit RSA key, and re-enabling SSH securely.
Hi Everyone!
In this video let us learn how to troubleshoot the vulnerability "SSH Server Public Key Too Small on a Cisco MDS switch." RSA public keys shorter than 2048 bits are disallowed and are considered vulnerable. Verify the key configured on this switch. You can see that RSA bitcount 1048 bit is in use.
It is recommended to install an RSA public key length of at least 2048 bits or larger, or switch to algorithms like ECDSA or EdDSA. In this example, let us change the RSA key length. Login to the switch via serial console or telnet, as it disables the SSH daemon and you get disconnected from your SSH session.
In this example, I have logged into the switch via telnet. You can verify that telnet traffic is enabled. Disable the SSH key using the command: no feature ssh in config mode. Create the key of appropriate 2048 bits or larger. Re-enable SSH.
Verify the new SSH key. You can see that RSA bitcount is now changed to 2048 bits. Save the running configuration to startup.
Thank you for watching.
