Last Modified: May 05, 2025
Affected Product(s):
F5OS F5OS, F5OS-A, F5OS-C, Velos
Known Affected Versions:
F5OS-A 1.8.0, F5OS-C 1.8.0
Opened: Sep 03, 2024 Severity: 3-Major
For systems that are not licensed for FIPS 140-3, F5OS permits configuration of various cryptographic parameters for the SSH system service. The administrator can configure the list of advertised ciphers and MACs and key exchange algorithms, but for the host key algorithm, the only thing that an administrator can configure is whether or not the system supports the 'ssh-rsa' host key algorithm; other algorithms are always enabled. For systems not licensed for FIPS 140-3, the other host key algorithms that are always enabled are ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp256, ssh-ed25519, rsa-sha2-512, and rsa-sha2-256. Attempting to explicitly configure any algorithm other than "ssh-rsa" will fail with an error: rseries(config-service-sshd)# system security services service sshd config host-key-algorithms [ ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ] rseries(config-service-sshd)# commit Aborted: 'system security services service sshd': ecdsa-sha2-nistp384-cert-v01@openssh.com Is not part of allowed HostKeyAlgorithms list
Attempting to configure host key algorithms for the system SSH daemon other than 'ssh-rsa' fails with an error: Aborted: 'system security services service sshd': ecdsa-sha2-nistp384-cert-v01@openssh.com Is not part of allowed HostKeyAlgorithms list
An F5OS system that is NOT licensed for FIPS 140-3. The 'ssh-rsa' algorithm is disabled by default, but can be enabled by adding it to the configuration for SSH's advertised Host Key Algorithms: rseries(config)# system security services service sshd config host-key-algorithms [ ssh-rsa ]
None
None