Downgrading or Upgrading from Releases that Support Different Key Sizes

Use this procedure if you need to downgrade or upgrade from a release that supports different key sizes.

Different releases can support different DSA host key, RSA host key, and DSA user key sizes. If you need to upgrade or downgrade to an earlier release that does not support the same key size, you must delete all of the keys from the .ssh directory and generate new keys for SSH. If you do not do this, key sizes that are no longer supported will no longer function.

You only need to perform this procedure if you have previously generated DSA host, RSA host, or DSA user keys with a release that supports different key sizes.

Procedure

  1. Use the following command to disable SSH:

    no ssh

  2. From the config terminal go to the .ssh directory using the command:

    cd /intflash/.ssh

  3. After you upgrade or downgrade, delete the following keys from the .ssh directory.
    ssh_dss.key 
    ssh_rsa.key 
    moc_sshc_dsa_file 
    moc_sshc_rsa_file 
    id_dsa_rwa 
    id_dsa_rwa.pub 
    id_rsa_rwa 
    id_rsa_rwa.pub 
    moc_sshc_dsa_file_fed 
    moc_sshc_rsa_file_fed 
    known_hosts 
    ssh_ecdsa.key 
    dsa_key_<access level like rwa/rw/ro/admin/security/privilege/operator/auditor>, example: dsa_key_rwa
    rsa_key_<access level like rwa/rw/ro/admin/security/privilege/operator/auditor>, example: rsa_key_rwa
    
  4. Generate a new DSA host key:

    ssh dsa-host-key [<1024–1024>]

  5. Generate a new SSH DSA user key:

    ssh dsa-user-key WORD<1–15> [size <1024–1024>]

  6. Generate a new RSA host key:

    ssh rsa-host-key [<1024–2048>]