My RSA keys never change during reload etc. Based on that I get the feeling that someone(engineer) changed something and told no-one. Just my 2 cents
-----Original Message----- From: Jens von B|low [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 15:31 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62749] Andrew, Of interest is that the RSA key was generated sometime after my reboot of the router. It looks like PDM (because this was the only way I could access the device) created a new key for me or at some point... Not sure when... Anyway, I "ca zeroize rsa", "ca generate rsa key" and "ca save all"ed my ca stuff. It now behaves as expected through a reboot. One question though? How do I trust my PIX again? (FWIW - We archive the configs of the PIX on a regular basis and the config hasn't changed) Anybody else ever seen their ca configs break during a power cycle? Regards Jens -----Original Message----- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 02:24 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62747] The RSA key pair is generated when you want to enable SSH access to the unit Command for this is " ca generate rsa key ". You need to have configured the hostname and domain name before using this command. remember to do the "ca save all" afterwards. Try that and see if the key changes again after a reload. As far as I remember (rather rusty here), the RSA key pair is saved to some other memory on the PIX (anyone correct me if I am wrong) As for your IPSec question - are you using certificates or preshared keys. If you are using certificates, then I think it is the same key - depends on how you set it up originally (There are 2 key type - general and special) if you never specified this, then a general key is created. let us know how it goes Andrew -----Original Message----- From: Jens von B|low [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 14:06 To: Andrew Larkins; [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] That is what I suspect or perhaps an overzealous engineer. Does one specify the RSA key for SSH (is it the same as the one for the IPSEC stuff) How would one change such a thing? I don't remember having to ever create one during the initial installation? PS: I rebooted the box and noticed that the key once again changed - could this problem be as a result of a corrupt flash card? -----Original Message----- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 01:48 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] This means that someone changed the rsa key on the PIX and that is only became active after the reboot. Verify with your guys that they changed nothing - otherwise it could be a sort of "attack" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62752&t=62752 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]