hostkey-algorithm
Syntax (Prior to Junos OS Release 22.3R1)
hostkey-algorithm {
(no-ssh-dss | ssh-dss);
(no-ssh-rsa | ssh-rsa);
(no-ssh-ecdsa | ssh-ecdsa);
(no-ssh-ed25519 | ssh-ed25519);
}
Syntax (Starting in Junos OS Release 22.3R1)
hostkey-algorithm-list (ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | ecdsa-sha2-nistp521 | ed25519 | rsa)
Hierarchy Level
[edit system services ssh]
Description
Allow or disallow a host-key algorithm to authenticate another host through the SSH protocol. The host-key uses RSA, ECDSA, ED25519, and DSS algorithms.
The following are the behaviors when the hostkey-algorithm option is configured with SSH client and SSH server:
On the SSH client, the host-key algorithms that are supported when talking to a server are:
RSA: Equal or greater-than to 1024 bit
ECDSA: 256, 384, or 521 bit
ED25519: 256 bit
DSS: 1024 bit
On the SSH server, the host-key algorithms that are generated and stored are:
RSA: 2048 bit
-
ECDSA: 256 bit (Prior to Junos OS Release 22.3R1).
ECDSA: 256, 384, or 521 bit (Starting in Junos OS Release 22.3R1).
ED25519: 256 bit
DSS: 1024 bit
Starting in Junos OS Release 22.3R1, we’ve introduced the
hostkey-algorithm-list statement at the [edit system
services ssh] hierarchy level. This enhancement enables you to
configure only the specified SSH hostkey algorithms. The system automatically
disables the remaining unspecified hostkey algorithms. In earlier releases, you need
to disable the hostkey algorithms explicitly. All the hostkey algorithms at this
hierarchy enabled by default. The DSS algorithm is no longer available at this new
hierarchy. In addition, we've deprecated the hostkey-algorithm
statement at the [edit system services ssh] hierarchy level.
Starting in
Junos OS Release 24.2R1, the hostkey-algorithm statement at the
[edit system services ssh] hierarchy level is removed and can
no longer be used.
Options
| ecdsa-sha2-nistp256 | Allow generation of ECDSA host-key with NIST P-256 curve. | |
| ecdsa-sha2-nistp384 | Allow generation of ECDSA host-key with NIST P-384 curve. | |
| ecdsa-sha2-nistp521 | Allow generation of ECDSA host-key with NIST P-521 curve | |
| ed25519 | Allow generation of EdDSA host-key with curve25519. | |
| rsa | Allow generation of 2048-bit RSA host-key | |
| ssh-ecdsa | Allow generation of an ECDSA host-key. Key pair sizes of 256, 384, or 521 bits are compatible with ECDSA. | |
| ssh-dss | Allow generation of a 1024-bit DSA host-key. |
Note:
DSA keys are not supported in FIPS, so the |
| ssh-rsa | Allow generation of RSA host-key. Key pair sizes greater than or equal to 1024 are compatible with RSA. | |
| no-ssh-dss | Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA) host-key. | |
| no-ssh-ecdsa | Do not allow generation of an Elliptic Curve Digital Signature Algorithm (ECDSA) host-key. | |
| no-ssh-rsa | Do not allow generation of an RSA host-key. |
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 11.2.
hostkey-algorithm-list option added in Junos OS Release 22.3R1.
hostkey-algorithm option removed in Junos OS Release 24.2R1.