Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

hostkey-algorithm

Syntax (Prior to Junos OS Release 22.3R1)

Syntax (Starting in Junos OS Release 22.3R1)

Hierarchy Level

Description

Allow or disallow a host-key algorithm to authenticate another host through the SSH protocol. The host-key uses RSA, ECDSA, ED25519, and DSS algorithms.

The following are the behaviors when the hostkey-algorithm option is configured with SSH client and SSH server:

  • On the SSH client, the host-key algorithms that are supported when talking to a server are:

    1. RSA: Equal or greater-than to 1024 bit

    2. ECDSA: 256, 384, or 521 bit

    3. ED25519: 256 bit

    4. DSS: 1024 bit

  • On the SSH server, the host-key algorithms that are generated and stored are:

    1. RSA: 2048 bit

    2. ECDSA: 256 bit (Prior to Junos OS Release 22.3R1).

      ECDSA: 256, 384, or 521 bit (Starting in Junos OS Release 22.3R1).

    3. ED25519: 256 bit

    4. DSS: 1024 bit

Starting in Junos OS Release 22.3R1, we’ve introduced the hostkey-algorithm-list statement at the [edit system services ssh] hierarchy level. This enhancement enables you to configure only the specified SSH hostkey algorithms. The system automatically disables the remaining unspecified hostkey algorithms. In earlier releases, you need to disable the hostkey algorithms explicitly. All the hostkey algorithms at this hierarchy enabled by default. The DSS algorithm is no longer available at this new hierarchy. In addition, we've deprecated the hostkey-algorithm statement at the [edit system services ssh] hierarchy level.

Options

ecdsa-sha2-nistp256 Allow generation of ECDSA host-key with NIST P-256 curve.
ecdsa-sha2-nistp384 Allow generation of ECDSA host-key with NIST P-384 curve.
ecdsa-sha2-nistp521 Allow generation of ECDSA host-key with NIST P-521 curve
ed25519 Allow generation of EdDSA host-key with curve25519.
rsa Allow generation of 2048-bit RSA host-key
ssh-ecdsa Allow generation of an ECDSA host-key. Key pair sizes of 256, 384, or 521 bits are compatible with ECDSA.
ssh-dss Allow generation of a 1024-bit DSA host-key.
Note:

DSA keys are not supported in FIPS, so the ssh-dss option is not available on systems operating in FIPS mode.

ssh-rsa Allow generation of RSA host-key. Key pair sizes greater than or equal to 1024 are compatible with RSA.
no-ssh-dss Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA) host-key.
no-ssh-ecdsa Do not allow generation of an Elliptic Curve Digital Signature Algorithm (ECDSA) host-key.
no-ssh-rsa Do not allow generation of an RSA host-key.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.2.

hostkey-algorithm-list option added in Junos OS Release 22.3R1.