"SSH Server Public Key Too Small" reported on EX/QFX devices

  [KB34138] Show Article Properties


Summary:

When running a vulnerability test on EX/QFX devices, the following message was reported:

'SSH Server Public Key Too Small'
Cause:
  • DSA keys and RSA keys that are shorter than 2048 bits are considered vulnerable. 

  • EX/QFX devices using DSS keys of 1024 when enabling SSH service.

Solution:

It is recommended to install a RSA public key length of at least 2048 bits or greater.

In order to avoid EX devices from using DSS keys of 1024 length, you can force them to use RSA keys with a length of 2048 by configuring both 'ssh-rsa' and 'no-ssh-dss'

  • ssh-rsa—Allow generation of RSA host-key. Key pair sizes greater than or equal to 1024 are compatible with RSA.

  • no-ssh-dss—Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA) host-key.


Configuration example:

# set system services ssh hostkey-algorithm no-ssh-dss
# set system services ssh hostkey-algorithm ssh-rsa
Related Links: