SSH-RSA Depreciation

Lurick
Getting noticed

SSH-RSA Depreciation

I recently noticed when on-boarding a Catalyst switch on 17.6 and 17.9 code that I'm getting tons of the following log messages:

ssh public-key algorithm compliance violation detected.kindly note that weaker public-key algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.please configure more stronger pk algorithms to avoid service impact.

 

I know I can suppress these messages in the logs but I was wondering if there is a better way or if there is a roadmap item as to when ssh-rsa will be removed on the Meraki dashboard side and replaced with something else in the future so we don't have to suppress these messages.

11 Replies 11
jorisjean
Here to help

Hello,

 

Same problem here with 9300 running 17.4

Used this command to remove the annoying logs from the buffer
logging discriminator MERAKI mnemonics drops SSH_COMPLIANCE_VIOLATION_PK_ALGO msg-body drops (Login Success.*meraki-user|User meraki-user has exited)

 

Thanks,

Yup, you could shorten it a bit if you wanted to but that's pretty much what I did as well!

jorisjean
Here to help

UPDATE:

After upgrading my 9300 to 17.6.5 I had issues with DMI and netconf

Apr 26 05:42:49.816: %DMI-5-SYNC_START: Switch 1 R0/0: dmiauthd: Synchronization of the running configuration to the NETCONF running data store has started.

Apr 26 05:43:02.472: %DMI-3-SYNC_ERR: Switch 1 R0/0: dmiauthd: An attempt to synchronize the running configuration to the NETCONF running data store has failed:

Apr 26 05:43:02.472: %DMI-3-DMI_DEGRADED: Switch 1 R0/0: dmiauthd: The dmi infra is operating in degraded mode. Most synchronizations from IOS to NETCONF datastore will not be performed



CORE(config)#do show platform software yang process state

Confd Status: Started

Process Status State

----------------------------------------------------------

nesd Running Active

syncfd Running Active (degraded)

 

I opened a case with meraki support and they suggested that I remove my descrimanator.

It solved the netconf error. But now my logs are filled with the Deprecation warning message again.
Any other solution ? Any idea when meraki will stop using ssh-rsa ?

 

Thanks,

Update: After working with TAC the proper discriminator to use seems to be

`logging discriminator DROP-ME msg-body drops meraki-user|Public-key`

Hi there! It looks like the suppression syntax used caused problem in other IOS XE module for some reason.

 

Try avoiding spaces in the expressions you're searching 

 

I see this syntax usually works fine:

 

logging discriminator DROP-ME msg-body drops meraki-user|Public-key

 

Hope this is useful.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
redsector
Head in the Cloud

Hello, I have got the same messages, but to supress this messages is not really an solution, isn´t it?

Tony-Sydney-AU
Meraki Employee
Meraki Employee

Hello everyone! Hope you're doing great!

 

I noticed a number of cases in Support and some customers referring to this log suppression workaround solution.

 

The root cause for this notice in syslog and console logging is just a reminder that SSH with RSA Public Key algorithm will be deprecated therefore, the network administrator should be aware. This is explained here in this Cisco doc [1]

 

Having this in mind, @redsector has a good point: just suppressing the messages it's not much of a solution. However, the fix could cause other compatibility issues when authenticating users/systems that can't use another algorithm.

 

That's why we never recommend changing your public key algorithm configs. If you're curious, you can find more details here in this other Cisco doc (valid for other IOS XE releases) [2].

 

Having said that, you may want to do it at your own risk.

 

Solution: change the publickey algorithm settings

 

Step 1. check if you have x509v3-ssh-rsa 

 

Switch#sh run | inc ip ssh

ip ssh version 2

ip ssh server algorithm authentication publickey password keyboard

ip ssh server algorithm publickey x509v3-ssh-rsa

 

Step 2. enter config mode and remove public key x509v3-ssh-rsa

 

Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#default ip ssh server algorithm publickey

Switch(config)#end

 

Once more: <disclaimer> Asses your public keys and users/systems before doing this. Use this at your own risk. It's safer and easier to implement log suppression workaround solution </disclaimer>.

 

Workaround: suppress just that kind of message

 

Switch#config-transaction

admin connected from 127.0.0.1 using console on Router

Switch(config)#logging discriminator DROP-ME msg-body drops meraki-user|Public-key

Switch(config)#end

 

More about the suppression syntax can be found here [3]. If this syntax doesn't work well for you, try building your own until you find one that works fine. Small syntax variance is common.

 

Hope this information is useful. And again, we recommend implementing the workaround since it's more compatible. Change public key settings at your own risk.

 

Reference:

[1] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/17_xe/syslogs/17-5-x/b-system-message-guide-router...

[2] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-3s/sec-usr-ssh-xe-3s-...

[3] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/command/esm-cr-book/esm-cr-a1.html#wp188878744...

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Tony - thank you for the detailed notes. Are you able to comment if Meraki is going to update the Catalyst Onboarding software to incorporate some of these steps and enforce the stronger algorithms?

HI @KFoster ! That's a good question, thank you. Yes, I checked with Internal Team and they are working to address this behaviour in future releases.

 

That being said, I don't have an ETA at this stage.

 

It's true; sorry I may sound like I'm reading a scripted Customer Wording. 😄

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Hi Tony,

 

Thanks for the update. Just adding that if you have the default algo the sh run command won't show you the algo

you should use show run all | i ip ssh


Removing only the ssh-rsa from the command worked for me.

The Workaround does not work if you just copy it: 

 

To suppress just that kind of messages on the switch:

 

Switch#config-transaction (This should be config terminal or conf t) 

Switch(config)#logging discriminator DROP-ME msg-body drops meraki-user|Public-key (By only doing this you create the filter but it is not active yet.)

Switch(config)#end 

 

I tried the above and it did not work.

 

ATTENTION: Before implementing the below this will clear your logs on the switch make a backup or if you have a syslog server you will be okey.

 

Switch# config t

Switch# logging discriminator DROP-ME msg-body drops meraki-user|Public-key

Switch# logging buffered discriminator DROP-ME 65536 informational

Get notified when there are additional replies to this discussion.