Last Modified: Feb 13, 2026
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
16.1.6.1, 17.1.3.1, 17.5.1.4, 21.0.0, 21.0.0.1
Opened: Feb 13, 2026 Severity: 3-Major
In a security ssh profile, it's possible to configure multiple stanzas under the 'auth-info' section. For example, using this configuration: security ssh profile f5-test-ssh-proxy { ... auth-info { ed25519 { proxy-server-auth { private-key ... public-key ... } proxy-client-auth { private-key ... public-key ... } real-server-auth { public-key ... } } rsa { proxy-server-auth { private-key ... public-key ... } proxy-client-auth { private-key ... public-key ... } real-server-auth { public-key ... } } } description none lang-env-tolerance common timeout 0 }
On the client-side session establishment (external client to AFM), the SSH proxy will always choose the first section that has an entry with a proxy-server-auth private-key. On the server-side connection (AFM to backend server), the SSH proxy will always choose the first section that has an entry with a proxy-client-auth private-key.
- AFM module licensed and provisioned. - security ssh profile configured with multiple stanzas under the auth-info section.
Configure only one stanza under the auth-info section of a security ssh profile.
None