Starting v7.4.0 FortiGate has the capability to change the SSH server host key algorithms offered by FortiGate as SSH Server.

By default, FortiGate uses all the algorithm keys:

The same can be verified in the Wireshark capture as below:

SSH server host key algorithms can be modified on FortiGate.

Multiple ssh-host key-algo server keys can be set on FortiGate.

To disable certain cipher, unselect it by running the following command:

unselect ssh-kex-algo (cipher to be removed)

Example:

Gerah-kvm05 # conf sys global

Gerah-kvm05 (global) # sh full | grep ssh-kex-algo
set ssh-kex-algo diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

Gerah-kvm05 (global) # unselect ssh-kex-algo ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

Gerah-kvm05 (global) # sh full | grep ssh-kex-algo
set ssh-kex-algo diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org

Gerah-kvm05 # end

It is also possible to verify in the PCAP.

After disabling strong-crypto, the ssh-hostkey-algo will also display the ssh-rsa option:

For v7.4.4 and later, the ssh-hostkey-algo command has been moved from the config system global setting to the config system ssh-config setting.

config system ssh-config
    set ssh-hsk-algo <----- Select one or more SSH hostkey algorithms.
end