Cisco Cloud Services Router (CSR) 1000v “SSH: Generated Key is not for SSH. Ignoring.”

What if you’re trying to enable SSH on a CSR 1000v and pulling your hair out because its not working? First run ‘show ip ssh’ and see if SSH is disabled or enabled.

RIS01-EVEREST#show ip ssh
SSH Disabled — version 2.0
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
<snip>

If you get the above output then you are indeed missing SSH RSA keys. Running ‘crypto key generate rsa’ or ‘crypto key generate rsa modulus 2048’ is not enough to get SSH to work. If you turned on debugging for ssh with ‘debug ip ssh’¹ and generated RSA keys again you would see the following debug message.

SSH: Generated key is RIS01-EVEREST.mgmt.local
SSH: Generated key is RIS01-EVEREST.mgmt.local is not for SSH. Ignoring.

The Fix:Run ‘crypto key generate rsa modulus 4096 label ssh-key’

(you need higher than 512 modulus for ssh2, 2048 and 4096 are recommended)

If you have ssh debugging on you would see the following messages:

SSH: Generated key is ssh-key
SSH: host key initialised
SSH: %SSH-5-ENABLED: SSH 2.0 has been enabled
SSH: Generated key is ssh-key.server
SSH: successfully generated server key

Running ‘show ip ssh’ again shows the service is now enabled.

RIS01-EVEREST#show ip ssh
SSH Enabled — version 2.0
<snip>

2020 Update: I came across this issue again on a 16.07 Fuji build where after a reboot my SSH keys disappeared and I had to login on console and re-generate them in order to get SSH working again. Cisco has a bug for this but I imagine with all of the Azure and AWS SSH key issues something like this will continue to be a problem. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz72344

[1] Run ‘undebug all’ or ‘no debug ip ssh’ to turn off SSH debugging