Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.5.0
Fixed In:
17.5.1
Opened: Apr 03, 2025 Severity: 3-Major
When a device is in common criteria mode, you cannot use ecdsa-sha2-nistp256 or ecdsa-sha2-nistp384 for SSH public key authentication. Additionally, you can use rsa key which you should not be able to according to common criteria guidelines.
You cannot ssh with ECDSA but can with RSA key
-- Common Criteria mode is enabled
Workaround is in file /config/ssh/sshd_config, on line 34 replace: HostKey /config/ssh/ssh_host_rsa_key with: HostKey /config/ssh/ssh_host_ecdsa_key HostKey /config/ssh/ssh_host_ecdsa_p384_key Note that this workaround must be applied after each reboot in ccmode, since the sshd_config file will revert after reboot.
SSH public key authentication works as expected in ccmode.