SSH-RSA Depreciation

Getting noticed

SSH-RSA Depreciation

I recently noticed when on-boarding a Catalyst switch on 17.6 and 17.9 code that I'm getting tons of the following log messages:

ssh public-key algorithm compliance violation detected.kindly note that weaker public-key algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.please configure more stronger pk algorithms to avoid service impact.


I know I can suppress these messages in the logs but I was wondering if there is a better way or if there is a roadmap item as to when ssh-rsa will be removed on the Meraki dashboard side and replaced with something else in the future so we don't have to suppress these messages.




Same problem here with 9300 running 17.4

Used this command to remove the annoying logs from the buffer
logging discriminator MERAKI mnemonics drops SSH_COMPLIANCE_VIOLATION_PK_ALGO msg-body drops (Login Success.*meraki-user|User meraki-user has exited)



Yup, you could shorten it a bit if you wanted to but that's pretty much what I did as well!



After upgrading my 9300 to 17.6.5 I had issues with DMI and netconf

Apr 26 05:42:49.816: %DMI-5-SYNC_START: Switch 1 R0/0: dmiauthd: Synchronization of the running configuration to the NETCONF running data store has started.

Apr 26 05:43:02.472: %DMI-3-SYNC_ERR: Switch 1 R0/0: dmiauthd: An attempt to synchronize the running configuration to the NETCONF running data store has failed:

Apr 26 05:43:02.472: %DMI-3-DMI_DEGRADED: Switch 1 R0/0: dmiauthd: The dmi infra is operating in degraded mode. Most synchronizations from IOS to NETCONF datastore will not be performed

CORE(config)#do show platform software yang process state

Confd Status: Started

Process Status State


nesd Running Active

syncfd Running Active (degraded)


I opened a case with meraki support and they suggested that I remove my descrimanator.

It solved the netconf error. But now my logs are filled with the Deprecation warning message again.
Any other solution ? Any idea when meraki will stop using ssh-rsa ?



Update: After working with TAC the proper discriminator to use seems to be

`logging discriminator DROP-ME msg-body drops meraki-user|Public-key`

Get notified when there are additional replies to this discussion.