Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

"SSH Server Public Key Too Small" reported on EX/QFX devices



Article ID: KB34138 KB Last Updated: 23 Apr 2019Version: 1.0

When running a vulnerability test on EX/QFX devices, the following message was reported:

'SSH Server Public Key Too Small'
  • DSA keys and RSA keys that are shorter than 2048 bits are considered vulnerable. 

  • EX/QFX devices using DSS keys of 1024 when enabling SSH service.


It is recommended to install a RSA public key length of at least 2048 bits or greater.

In order to avoid EX devices from using DSS keys of 1024 length, you can force them to use RSA keys with a length of 2048 by configuring both 'ssh-rsa' and 'no-ssh-dss'

  • ssh-rsa—Allow generation of RSA host-key. Key pair sizes greater than or equal to 1024 are compatible with RSA.

  • no-ssh-dss—Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA) host-key.

Configuration example:

# set system services ssh hostkey-algorithm no-ssh-dss
# set system services ssh hostkey-algorithm ssh-rsa

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search