Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Allow or disallow a host-key algorithm to authenticate another host through the SSH protocol. The host-key uses RSA, ECDSA, ED25519, and DSS algorithms.

The following are the behaviors when the hostkey-algorithm option is configured with SSH client and SSH server:

  • On the SSH client, the host-key algorithms that are supported when talking to a server are:

    1. RSA: Equal or greater-than to 1024 bit

    2. ECDSA: 256, 384, or 521 bit

    3. ED25519: 256 bit

    4. DSS: 1024 bit

  • On the SSH server, the host-key algorithms that are generated and stored are:

    1. RSA: 2048 bit

    2. ECDSA: 256 bit

    3. ED25519: 256 bit

    4. DSS: 1024 bit


  • ssh-ecdsa—Allow generation of an ECDSA host-key. Key pair sizes of 256, 384, or 521 bits are compatible with ECDSA.

  • ssh-dss—Allow generation of a 1024-bit DSA host-key.


    DSA keys are not supported in FIPS, so the ssh-dss option is not available on systems operating in FIPS mode.

  • ssh-rsa—Allow generation of RSA host-key. Key pair sizes greater than or equal to 1024 are compatible with RSA.

  • no-ssh-dss—Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA) host-key.

  • no-ssh-ecdsa—Do not allow generation of an Elliptic Curve Digital Signature Algorithm (ECDSA) host-key.

  • no-ssh-rsa—Do not allow generation of an RSA host-key.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.2.