I recently noticed when on-boarding a Catalyst switch on 17.6 and 17.9 code that I'm getting tons of the following log messages:
ssh public-key algorithm compliance violation detected.kindly note that weaker public-key algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.please configure more stronger pk algorithms to avoid service impact.
I know I can suppress these messages in the logs but I was wondering if there is a better way or if there is a roadmap item as to when ssh-rsa will be removed on the Meraki dashboard side and replaced with something else in the future so we don't have to suppress these messages.
Hello,
Same problem here with 9300 running 17.4
Used this command to remove the annoying logs from the buffer
logging discriminator MERAKI mnemonics drops SSH_COMPLIANCE_VIOLATION_PK_ALGO msg-body drops (Login Success.*meraki-user|User meraki-user has exited)
Thanks,
Yup, you could shorten it a bit if you wanted to but that's pretty much what I did as well!
UPDATE:
After upgrading my 9300 to 17.6.5 I had issues with DMI and netconf
Apr 26 05:42:49.816: %DMI-5-SYNC_START: Switch 1 R0/0: dmiauthd: Synchronization of the running configuration to the NETCONF running data store has started.
Apr 26 05:43:02.472: %DMI-3-SYNC_ERR: Switch 1 R0/0: dmiauthd: An attempt to synchronize the running configuration to the NETCONF running data store has failed:
Apr 26 05:43:02.472: %DMI-3-DMI_DEGRADED: Switch 1 R0/0: dmiauthd: The dmi infra is operating in degraded mode. Most synchronizations from IOS to NETCONF datastore will not be performed
CORE(config)#do show platform software yang process state
Confd Status: Started
Process Status State
----------------------------------------------------------
nesd Running Active
syncfd Running Active (degraded)
I opened a case with meraki support and they suggested that I remove my descrimanator.
It solved the netconf error. But now my logs are filled with the Deprecation warning message again.
Any other solution ? Any idea when meraki will stop using ssh-rsa ?
Thanks,
Update: After working with TAC the proper discriminator to use seems to be
`logging discriminator DROP-ME msg-body drops meraki-user|Public-key`
Hi there! It looks like the suppression syntax used caused problem in other IOS XE module for some reason.
Try avoiding spaces in the expressions you're searching
I see this syntax usually works fine:
logging discriminator DROP-ME msg-body drops meraki-user|Public-key
Hope this is useful.
Hello, I have got the same messages, but to supress this messages is not really an solution, isn´t it?
Hello everyone! Hope you're doing great!
I noticed a number of cases in Support and some customers referring to this log suppression workaround solution.
The root cause for this notice in syslog and console logging is just a reminder that SSH with RSA Public Key algorithm will be deprecated therefore, the network administrator should be aware. This is explained here in this Cisco doc [1]
Having this in mind, @redsector has a good point: just suppressing the messages it's not much of a solution. However, the fix could cause other compatibility issues when authenticating users/systems that can't use another algorithm.
That's why we never recommend changing your public key algorithm configs. If you're curious, you can find more details here in this other Cisco doc (valid for other IOS XE releases) [2].
Having said that, you may want to do it at your own risk.
Solution: change the publickey algorithm settings
Step 1. check if you have x509v3-ssh-rsa
Switch#sh run | inc ip ssh
ip ssh version 2
ip ssh server algorithm authentication publickey password keyboard
ip ssh server algorithm publickey x509v3-ssh-rsa
Step 2. enter config mode and remove public key x509v3-ssh-rsa
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#default ip ssh server algorithm publickey
Switch(config)#end
Once more: <disclaimer> Asses your public keys and users/systems before doing this. Use this at your own risk. It's safer and easier to implement log suppression workaround solution </disclaimer>.
Workaround: suppress just that kind of message
Switch#config-transaction
admin connected from 127.0.0.1 using console on Router
Switch(config)#logging discriminator DROP-ME msg-body drops meraki-user|Public-key
Switch(config)#end
More about the suppression syntax can be found here [3]. If this syntax doesn't work well for you, try building your own until you find one that works fine. Small syntax variance is common.
Hope this information is useful. And again, we recommend implementing the workaround since it's more compatible. Change public key settings at your own risk.
Reference:
Tony - thank you for the detailed notes. Are you able to comment if Meraki is going to update the Catalyst Onboarding software to incorporate some of these steps and enforce the stronger algorithms?
HI @KFoster ! That's a good question, thank you. Yes, I checked with Internal Team and they are working to address this behaviour in future releases.
That being said, I don't have an ETA at this stage.
It's true; sorry I may sound like I'm reading a scripted Customer Wording. 😄
Hi Tony,
Thanks for the update. Just adding that if you have the default algo the sh run command won't show you the algo
you should use show run all | i ip ssh
Removing only the ssh-rsa from the command worked for me.