Fixing “Bad server host key: Invalid key length” on a Cisco Nexus Device

On a Cisco Nexus device, fixing the “Bad server host key: Invalid key length” issue typically involves verifying and potentially regenerating the SSH keys on the device. Here are the steps you can follow:

1. Verify SSH Key Length and Type

Cisco Nexus devices support various types of SSH keys, such as RSA and DSA. Verify that the keys are of appropriate length and type. The supported lengths are generally 2048 or 4096 bits for RSA keys.

2. Regenerate SSH Keys

If the keys are outdated or corrupted, you might need to regenerate them. To regenerate SSH keys on a Cisco Nexus device:

  1. Connect to the Device

Connect to the Cisco Nexus device via console or an existing SSH session.

  1. Enter Global Configuration Mode

configure terminal

  1. Regenerate the RSA Key

First, delete the existing key:

no ssh key rsa

Then, generate a new key:

ssh key rsa 2048 force

  1. Save the Configuration

copy running-config startup-config

3. Update SSH Client Known Hosts

If you encounter issues with the known_hosts file on the SSH client side, you might need to remove the old key. You can use the following command on the client to remove the old key associated with the Nexus device’s IP or hostname:

ssh-keygen -R <hostname_or_ip>

4. Check SSH Configuration

Ensure that the SSH configuration on the Cisco Nexus device is correct:

show running-config | include ssh

Verify that SSH is enabled and the correct keys are being used. If necessary, you can explicitly specify the key type and length in the configuration.

5. Enable Debugging

If the problem persists, you can enable debugging on the Nexus device to get more information about the SSH connection attempts:

debug ip ssh

Remember to disable debugging after you have gathered the necessary information:

undebug all

By following these steps, you should be able to resolve the “Bad server host key: Invalid key length” issue on a Cisco Nexus device. If the problem continues, providing more details about the device model and software version may help in further troubleshooting.

About Daniel Fredrick

Technology enthusiast, Programmer, Network Engineer CCIE# 17094

View all posts by Daniel Fredrick →

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.