I recently noticed when on-boarding a Catalyst switch on 17.6 and 17.9 code that I'm getting tons of the following log messages:
ssh public-key algorithm compliance violation detected.kindly note that weaker public-key algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.please configure more stronger pk algorithms to avoid service impact.
I know I can suppress these messages in the logs but I was wondering if there is a better way or if there is a roadmap item as to when ssh-rsa will be removed on the Meraki dashboard side and replaced with something else in the future so we don't have to suppress these messages.
Same problem here with 9300 running 17.4
Used this command to remove the annoying logs from the buffer
logging discriminator MERAKI mnemonics drops SSH_COMPLIANCE_VIOLATION_PK_ALGO msg-body drops (Login Success.*meraki-user|User meraki-user has exited)
After upgrading my 9300 to 17.6.5 I had issues with DMI and netconf
Apr 26 05:42:49.816: %DMI-5-SYNC_START: Switch 1 R0/0: dmiauthd: Synchronization of the running configuration to the NETCONF running data store has started. Apr 26 05:43:02.472: %DMI-3-SYNC_ERR: Switch 1 R0/0: dmiauthd: An attempt to synchronize the running configuration to the NETCONF running data store has failed: Apr 26 05:43:02.472: %DMI-3-DMI_DEGRADED: Switch 1 R0/0: dmiauthd: The dmi infra is operating in degraded mode. Most synchronizations from IOS to NETCONF datastore will not be performed CORE(config)#do show platform software yang process state Confd Status: Started Process Status State ---------------------------------------------------------- nesd Running Active syncfd Running Active (degraded)
I opened a case with meraki support and they suggested that I remove my descrimanator.
It solved the netconf error. But now my logs are filled with the Deprecation warning message again.
Any other solution ? Any idea when meraki will stop using ssh-rsa ?
Update: After working with TAC the proper discriminator to use seems to be
`logging discriminator DROP-ME msg-body drops meraki-user|Public-key`
Hi there! It looks like the suppression syntax used caused problem in other IOS XE module for some reason.
Try avoiding spaces in the expressions you're searching
I see this syntax usually works fine:
logging discriminator DROP-ME msg-body drops meraki-user|Public-key
Hope this is useful.
Hello everyone! Hope you're doing great!
I noticed a number of cases in Support and some customers referring to this log suppression workaround solution.
The root cause for this notice in syslog and console logging is just a reminder that SSH with RSA Public Key algorithm will be deprecated therefore, the network administrator should be aware. This is explained here in this Cisco doc 
Having this in mind, @redsector has a good point: just suppressing the messages it's not much of a solution. However, the fix could cause other compatibility issues when authenticating users/systems that can't use another algorithm.
That's why we never recommend changing your public key algorithm configs. If you're curious, you can find more details here in this other Cisco doc (valid for other IOS XE releases) .
Having said that, you may want to do it at your own risk.
Solution: change the publickey algorithm settings
Step 1. check if you have x509v3-ssh-rsa
Switch#sh run | inc ip ssh
ip ssh version 2
ip ssh server algorithm authentication publickey password keyboard
ip ssh server algorithm publickey x509v3-ssh-rsa
Step 2. enter config mode and remove public key x509v3-ssh-rsa
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#default ip ssh server algorithm publickey
Once more: <disclaimer> Asses your public keys and users/systems before doing this. Use this at your own risk. It's safer and easier to implement log suppression workaround solution </disclaimer>.
Workaround: suppress just that kind of message
admin connected from 127.0.0.1 using console on Router
Switch(config)#logging discriminator DROP-ME msg-body drops meraki-user|Public-key
More about the suppression syntax can be found here . If this syntax doesn't work well for you, try building your own until you find one that works fine. Small syntax variance is common.
Hope this information is useful. And again, we recommend implementing the workaround since it's more compatible. Change public key settings at your own risk.