ms264556.net

Appearance

Change Unleashed / ZoneDirector SSH Host Key Algorithm to ECDSA

Ruckus Unleashed / ZoneDirector use 2048 bit RSA SSH host keys.
This algorithm is deprecated, so most SSH clients will refuse to connect unless you explicitly specify -oHostKeyAlgorithms=+ssh-rsa on your ssh commandline.
(If your AP / ZoneDirector is really old, you will need to specify -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oCiphers=+aes256-cbc).

Sure, you can permanently add HostKeyAlgorithms +ssh-rsa to your ~/.ssh/config file.
But you might prefer to tweak your Unleashed or ZoneDirector to use (secure, non-deprecated) ECDSA instead...

Unleashed ECDSA SSH Host Key Procedure

WARNING

This procedure changes only the Master AP - you will need to follow the same procedure again if another AP begins acting as Master.

This patch should be uploaded as a Preload Image (Admin & Services > Administration > Upgrade > Local Upgrade > Preload Image).

The upload process completes the change; no upgrade will be offered.

TIP

If you run into problems and need to go back to using an RSA host key for SSH then you can apply this patch to generate a new RSA key.

TIP

You can, if you wish, create the patch yourself, or decrypt the patch to verify it's only doing what it should.

Unleashed releases after 30 Aug 2023 (e.g. 200.7.10.202.145+, 200.14.6.1.203+)

Patching is disabled on newer AP firmwares.

If your AP was released before mid-2022 then you can backup your configuration, temporarily downgrade to an older Unleashed firmware, apply the patch, and then re-upgrade.

Make a note of your current software version - you'll need to upgrade to this exact version to restore your configuration backup.

ZoneDirector 1200 ECDSA SSH Host Key Procedure

This patch should be uploaded as a Software Upgrade (Administer > Upgrade > Software Upgrade).

The upload process completes the patching; no upgrade will be offered. Instead you will receive confirmation the patch has successfully completed.

TIP

If you run into problems and need to go back to using an RSA host key for SSH then you can apply this patch to generate a new RSA key.

TIP

You can, if you wish, create the patch yourself, or decrypt the patch to verify it's only doing what it should.

ZoneDirector releases after 31 Aug 2023 (e.g. 10.2.1.0.236+, 10.5.1.0.265+)

Ruckus implemented firmware signing in ZoneDirector 10.2.1.0 build 236 and 10.5.1.0 build 265.
So you will need to download an older 10.2.1.0 or 10.5.1.0 build from https://support.ruckuswireless.com/software (e.g. I used 10.5.1.0 build 255) and do an 'upgrade' (Administer > Upgrade).

TIP

Your support entitlement isn't checked if you're just installing a different build of the currently installed ZoneDirector version.

Once you've followed the procedure, above, for older ZoneDirector releases, then you can re-upgrade your ZoneDirector.

Released under the BSD Zero Clause License.

Copyright © 2020-present