tunnels use pre-shared keys. so I should be good to rekey?

For my view there is no issue at all' if you  want I can check by lab abd update you.

MHM

I don't think that would be necessary but thanks for offering.

would you agree with me upgrading to such a jump would require a rekey to regain ssh access, due to the deprecated encryption not allowed on 9.16?

You should not NORMALLY have to generate a new RSA key (which is used for ssh, completely separate from the preshared keys used by any IPsec VPNs).

However, there is a change in behavior noted with 9.16 specifically as follows:

" SSH host key action required in 9.16(1)—In addition to RSA, we added support for the EDDSA and ECDSA host keys for SSH. The ASA tries to use keys in the following order if they exist: EDDSA, ECDSA, and then RSA. When you upgrade to 9.16(1), the ASA will fall back to using the existing RSA key. However, we recommend that you generate higher-security keys as soon as possible using the crypto key generate {eddsa | ecdsa} command. Moreover, if you explicitly configure the ASA to use the RSA key with the ssh key-exchange hostkey rsa command, you must generate a key that is 2048 bits or higher. For upgrade compatibility, the ASA will use smaller RSA host keys only when the default host key setting is used. RSA support will be removed in a later release."

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

Thanks alot for update us

I was waiting run some lab test change cipher with same rsa key.

But you short the way.

Thanks 

Have a nice day 

MHM

Good to hear you are back in via ssh. Besides supporting newer algorithms, any version of Putty before earlier this year (0.80 or older) should be updated in any event due to a critical vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-31497