The issue is that my router is running a version of FreeBSD that dropped support for less secure SSH methods (Ruckus RIOT partner RG Nets rXg). When I try to SSH into my ICX6450-C12P, I get the following error:
[admin@ ~]$ ssh email@example.com Unable to negotiate with 10.10.2.3 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
I tried configuring the switch (via telnet) with the following: telnet@sw3(config)#crypto key gen rsa modulus 2048
The command "ip ssh key-exchange-method" is not recognized, as I'm guessing this is not a "FCX device".
Again, I'm running 80.0.30saT311 on this switch.
The other switches on this network are ICX 7250's running 08.0.80dT211. I am able to use SSH to communicate with them after running the "ip ssh key-exchange-method dh-group14-sha1" command.
That said, you can use RSA 2048 bit for ssh authentication algorithm.
Separate topic.... you can and disable AES-CBC encryption, which meets the standard of the Joint Interoperability Test Command (JITC). JITC is a United States military organization that tests technology pertaining to multiple branches of the armed services and the government.
ip ssh encryption disable-aes-cbc
I am a bit surprised no option is available for a larger RSA modulus, either. Many devices support 4096 bit RSA modulus.
Either way, RSA is slow to generate but faster than DSA to authenticate once configured.