Starting with version 22.5, when you install ExtremeXOS for the first time, the following SSH parameters are enabled by default:
Other OpenSSH 7.5p1 supported MACs and ciphers listed in Understanding SSH Server are disabled by default.
When upgrading from earlier releases to ExtremeXOS 22.5 and later, supported ciphers, MACs, public key algorithms, and Diffie-Hellman groups are inherited from the earlier releases.
Note
DSA (ssh-dss) related host key algorithms are not supported in both server and client in ExtremeXOS 22.5 and later. However, for backward compatibility, it is supported in the server after an upgrade to ExtremeXOS 22.5 and later if DSA host key is present in the earlier release.Version 32.5 adds support for two new host key algorithms: rsa-sha2-256 and rsa-sha2-512. While the default algorithm remains ssh-rsa, this SHA-1 algorithm is weak and not recommended. In version 32.5, you can use the CLI to select the host key algorithm from the list of three options.
During an upgrade to version 32.5, the ssh-rsa type host key present in the switch is used, but the following EMS log will be generated when the switch starts:
04/25/2023 08:19:25.67 <Noti:exsshd.CfgHostKeyAlgWeak> The configured host key algorithm(s), ssh-rsa, is/are weaker than what is recommended.
# configure ssh2 key algorithm rsa-sha2-256 New key algorithm will be usable after disable and enable SSH or 'restart process exsshd'. Warning: Legacy clients that do not support this algorithm will not connect with the switch's SSH server.
The following command configures the host key algorithm:
configure ssh2 key algorithm [ ssh-rsa | rsa-sha2-256 | rsa-sha2-512]
Use the show ssh2 command to display current and configured algorithms.