We installed a bunch of C9K switches running version 17.12.4. I have noticed the following message whenever I login with putty.

%SSH-5-SSH_COMPLIANCE_VIOLATION_HOSTK_ALGO: SSH Host-key Algorithm compliance violation detected.Kindly note that weaker Host-key Algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.Please configure more stronger Host-Key algorithms to avoid service impact.

So I think, hmm, I must see if I can fix this.

To make a long story short, I upgraded to the latest putty 0.83. Still get the message. I look in the new putty configuration and see some host keys I may not have had before. So I decide to move RSA below the warn line. Sure enough I get a message from putty when trying to connect that RSA is the first offer from the server and do I want to continue.

So again, hmm. Looking at the show ip ssh output

Hostkey Algorithms:ssh-rsa

To fix this and not break it for other users, I put this in the config.

ip ssh server algorithm hostkey rsa-sha2-256 rsa-sha2-512 ssh-rsa

Now the output is

Hostkey Algorithms:rsa-sha2-256,rsa-sha2-512,ssh-rsa

I put rsa back below the warn line. I still get a warning that the server is using rsa-sha2-256 from putty, so I put it back. The log message is no longer present when logging into the switch. I am not sure at this point how to get the switches to use DSA or ECDSA.

Cisco, if you are reading this, perhaps you should enable other hostkey algorithms by default before you warn people you will be removing support for ssh-rsa.