I wouldn't use telenet... It is not encrypted nor secure!
Also if you use SMMP, I would recommend only v3 for the same reasons.
We have been running 08.0.80 code since 08.0.80b and have not run into the SSH issue. I would say, "good for us," but that doesn't help you.
*knocks on wood* before I start having problems with hundreds of devices running 08.0.80d, but thus far SSH works fine in our environment every time!
Based on the post above, if you want to disable Smartzone:
sz disable
Here is our SSH config:
ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30
ip ssh scp disable
ip ssh encryption disable-aes-cbc
We are generating an RSA with a 2048 bit modulus:
crypto key generate rsa modulus 2048
We are also using RADIUS for the authentication with a backup account to authenticate if RADIUS is broken:
Our AAA looks like this:
aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode
username backupacct password .....
!
radius-server host 10.1.2.3
radius-server host 10.4.5.6
radius-server key 2 $dyIqJzYoZmlpdUldZzBzRShTOjIwXzkzJUNmME8rQjBdNE9QTG1JPVUiOidpFtGh4m2TaCU0XF44XDojb3RrZw==
Each device is uniquely keyed though if you really want, you can create a 10.0.0.0/8 entry in RADIUS for example or whatever your switch management IPs are and key everything with one entry if that is your desire.
If you do not run RADIUS your AAA will be something like:
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode
Locking down by OOB or Access List(Unrelated):
Forgot to mention I would lock down SSH access to either Out-of-Bound Management or an Access list.
If you do an ACL, you want to make a simple Standard numbered or named Access list, so you are filtering simply based on the source.
A permit allows access, a deny doesn't. The lists are processed top down, and once it matches, execution terminates. There is an implicit deny all at the end, so if nothing matches and returns permit, then access will be denied.
Let's say you want to allow only one device to be able to SSH:
Here would be the Standard ACL statement:
permit host 10.1.2.3
You would apply it like:
ssh access-group
Specifically:
<1-99> Standard IP access list
ASCII string Standard Access List Name