Support for RSA/SHA256 for Host Key Algorithm

Version 32.5 adds support for two new host key algorithms: rsa-sha2-256 and rsa-sha2-512. While the default algorithm remains ssh-rsa, this SHA-1 algorithm is weak and not recommended. In version 32.5, you can use the CLI to select the host key algorithm from the list of three options.

During an upgrade to version 32.5, the ssh-rsa type host key present in the switch is used, but the following EMS log will be generated when the switch starts:

04/25/2023 08:19:25.67 <Noti:exsshd.CfgHostKeyAlgWeak> The configured host key algorithm(s),
        ssh-rsa, is/are weaker than what is recommended.
The switch will continue to generate an ssh-rsa type key until you use the configure ssh2 key algorithm command. Once you use the command to make a selection, the new algorithm chosen will take effect when you run disable/enable ssh2 or sshd restart, as displayed in the following example output: 
# configure ssh2 key algorithm rsa-sha2-256
New key algorithm will be usable after disable and enable SSH or 'restart process exsshd'.

Warning: Legacy clients that do not support this algorithm will not connect with the
        switch's SSH server.

Use the show ssh2 command to display current and configured algorithms.

Supported Platforms

All platforms.

New CLI Command

The following command configures the host key algorithm:

configure ssh2 key algorithm [ ssh-rsa | rsa-sha2-256 | rsa-sha2-512]

9037874-01 Rev AA