Don't forget the "ca save all" command to save the key once you generate it. Otherwise it will go away when you reboot the PIX.
Rik -----Original Message----- From: Mark Odette II [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 2:21 AM To: [EMAIL PROTECTED] Subject: RE: SSH RSA key [7:40297] John, I have some new info, but also some info that we were told via the list response last yesterday. 1. From the Cisco PIX FW Command Reference for 6.1: " The 'ca generate rsa' command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in a persistent data file in Flash memory, which can be viewed with the 'show ca mypubkey rsa' command." Page 3-10 -- the 'show ca mypubkey rsa' command is what you issue to view your SSH RSA key. It should actually show you two keys, which are labeled : General Purpos Key, and Encryption Key.... i.e., Public/Private key pair. 2. From the same reference: "Note- You must generate an RSA Key-Pair for the PIX Firewall before clients can connect to the PIX Firewall Console. To use SSH, your PIX Firewall must hae a DES or 3DES activation key installed." Page 7-17 3.From the same reference: "The 'SHOW FLASHFS' command displays the size in bytes of each filesystem sector and the current state of the filessystem. The data in each sector is as follows: *file 0 - PIX FW binare image, wher ethe .bin file is stored. *file 1 - PIX FW config data that you can view with the 'show config' command. *file 2 - PIX FW datafile that stores IPSec key and certificate information. *file 3 - 'FlashFs downgrade' information for the 'show flashfs' command. Page 4-34 Now interestingly enough, it doesn't mention anything about what "File 4" is, as shown by the following output on my personal PIX: cisco-pix# show flashfs flash file system: version:2 magic:0x12345679 file 0: origin: 0 length:2469944 file 1: origin: 2490368 length:4183 file 2: origin: 0 length:0 file 3: origin: 2621440 length:3528136 file 4: origin: 7864320 length:280 cisco-pix# .............. and if you notice, "File 2" seems blank, yet I have generated an RSA key, and then reconnected to my PIX with an SSH client to get the output of the Show FlashFS command. I suspect the RSA key data is being kept in the "File 4" of my PIX Flash filesystem. for a Cisco Router, I'm not sure where the RSA key data is kept, but I would not be surprised if it is kept on the Flash Filesystem there too. Of course, watch me be wrong, and it's kept in NVRAM. Hope that answered your questions. -Mark Odette II -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Green Sent: Wednesday, April 03, 2002 12:16 AM To: [EMAIL PROTECTED] Subject: SSH RSA key [7:40297] how to read the SSH RSA key in pix and a cisco router ? what is the command and where is it stored ? nvram ? __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40397&t=40297 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
