SSH-RSA Depreciation

Getting noticed

SSH-RSA Depreciation

I recently noticed when on-boarding a Catalyst switch on 17.6 and 17.9 code that I'm getting tons of the following log messages:

ssh public-key algorithm compliance violation detected.kindly note that weaker public-key algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.please configure more stronger pk algorithms to avoid service impact.


I know I can suppress these messages in the logs but I was wondering if there is a better way or if there is a roadmap item as to when ssh-rsa will be removed on the Meraki dashboard side and replaced with something else in the future so we don't have to suppress these messages.

7 Replies 7



Same problem here with 9300 running 17.4

Used this command to remove the annoying logs from the buffer
logging discriminator MERAKI mnemonics drops SSH_COMPLIANCE_VIOLATION_PK_ALGO msg-body drops (Login Success.*meraki-user|User meraki-user has exited)



Yup, you could shorten it a bit if you wanted to but that's pretty much what I did as well!



After upgrading my 9300 to 17.6.5 I had issues with DMI and netconf

Apr 26 05:42:49.816: %DMI-5-SYNC_START: Switch 1 R0/0: dmiauthd: Synchronization of the running configuration to the NETCONF running data store has started.

Apr 26 05:43:02.472: %DMI-3-SYNC_ERR: Switch 1 R0/0: dmiauthd: An attempt to synchronize the running configuration to the NETCONF running data store has failed:

Apr 26 05:43:02.472: %DMI-3-DMI_DEGRADED: Switch 1 R0/0: dmiauthd: The dmi infra is operating in degraded mode. Most synchronizations from IOS to NETCONF datastore will not be performed

CORE(config)#do show platform software yang process state

Confd Status: Started

Process Status State


nesd Running Active

syncfd Running Active (degraded)


I opened a case with meraki support and they suggested that I remove my descrimanator.

It solved the netconf error. But now my logs are filled with the Deprecation warning message again.
Any other solution ? Any idea when meraki will stop using ssh-rsa ?



Update: After working with TAC the proper discriminator to use seems to be

`logging discriminator DROP-ME msg-body drops meraki-user|Public-key`

Hi there! It looks like the suppression syntax used caused problem in other IOS XE module for some reason.


Try avoiding spaces in the expressions you're searching 


I see this syntax usually works fine:


logging discriminator DROP-ME msg-body drops meraki-user|Public-key


Hope this is useful.

Head in the Cloud

Hello, I have got the same messages, but to supress this messages is not really an solution, isn´t it?

Meraki Employee
Meraki Employee

Hello everyone! Hope you're doing great!


I noticed a number of cases in Support and some customers referring to this log suppression workaround solution.


The root cause for this notice in syslog and console logging is just a reminder that SSH with RSA Public Key algorithm will be deprecated therefore, the network administrator should be aware. This is explained here in this Cisco doc [1]


Having this in mind, @redsector has a good point: just suppressing the messages it's not much of a solution. However, the fix could cause other compatibility issues when authenticating users/systems that can't use another algorithm.


That's why we never recommend changing your public key algorithm configs. If you're curious, you can find more details here in this other Cisco doc (valid for other IOS XE releases) [2].


Having said that, you may want to do it at your own risk.


Solution: change the publickey algorithm settings


Step 1. check if you have x509v3-ssh-rsa 


Switch#sh run | inc ip ssh

ip ssh version 2

ip ssh server algorithm authentication publickey password keyboard

ip ssh server algorithm publickey x509v3-ssh-rsa


Step 2. enter config mode and remove public key x509v3-ssh-rsa


Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#default ip ssh server algorithm publickey



Once more: <disclaimer> Asses your public keys and users/systems before doing this. Use this at your own risk. It's safer and easier to implement log suppression workaround solution </disclaimer>.


Workaround: suppress just that kind of message



admin connected from using console on Router

Switch(config)#logging discriminator DROP-ME msg-body drops meraki-user|Public-key



More about the suppression syntax can be found here [3]. If this syntax doesn't work well for you, try building your own until you find one that works fine. Small syntax variance is common.


Hope this information is useful. And again, we recommend implementing the workaround since it's more compatible. Change public key settings at your own risk.







Get notified when there are additional replies to this discussion.