diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md
index 5d1f52b08a1..54f5e997083 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md
@@ -36,6 +36,12 @@ interface Management1
### Management SSH
+#### Authentication Settings
+
+| Authentication protocols | Empty passwords |
+| ------------------------ | --------------- |
+| keyboard-interactive, password, public-key | permit |
+
#### IPv4 ACL
| IPv4 ACL | VRF |
@@ -75,8 +81,10 @@ management ssh
ip access-group ACL-SSH in
ip access-group ACL-SSH-VRF vrf mgt in
idle-timeout 15
+ authentication protocol keyboard-interactive password public-key
connection limit 50
connection per-host 10
+ authentication empty-passwords permit
client-alive interval 666
client-alive count-max 42
fips restrictions
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg
index f26acf54dad..df5ea4e292c 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg
@@ -8,8 +8,10 @@ management ssh
ip access-group ACL-SSH in
ip access-group ACL-SSH-VRF vrf mgt in
idle-timeout 15
+ authentication protocol keyboard-interactive password public-key
connection limit 50
connection per-host 10
+ authentication empty-passwords permit
client-alive interval 666
client-alive count-max 42
fips restrictions
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml
index c49e1229585..c3ca0f4826f 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml
@@ -1,4 +1,10 @@
management_ssh:
+ authentication:
+ empty_passwords: permit
+ protocols:
+ - keyboard-interactive
+ - password
+ - public-key
access_groups:
- name: ACL-SSH
- name: ACL-SSH-VRF
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md
index 1b612e87e6f..c9b7bd83c63 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md
@@ -8,6 +8,10 @@
| Variable | Type | Required | Default | Value Restrictions | Description |
| -------- | ---- | -------- | ------- | ------------------ | ----------- |
| [management_ssh](## "management_ssh") | Dictionary | | | | |
+ | [ authentication](## "management_ssh.authentication") | Dictionary | | | | |
+ | [ empty_passwords](## "management_ssh.authentication.empty_passwords") | String | | | Valid Values:
- auto
- deny
- permit | Permit or deny empty passwords for SSH authentication. |
+ | [ protocols](## "management_ssh.authentication.protocols") | List, items: String | | | | Allowed SSH authentication methods. |
+ | [ - <str>](## "management_ssh.authentication.protocols.[]") | String | | | Valid Values:
- keyboard-interactive
- password
- public-key | |
| [ access_groups](## "management_ssh.access_groups") | List, items: Dictionary | | | | |
| [ - name](## "management_ssh.access_groups.[].name") | String | | | | Standard ACL Name. |
| [ vrf](## "management_ssh.access_groups.[].vrf") | String | | | | VRF Name. |
@@ -43,6 +47,14 @@
```yaml
management_ssh:
+ authentication:
+
+ # Permit or deny empty passwords for SSH authentication.
+ empty_passwords:
+
+ # Allowed SSH authentication methods.
+ protocols:
+ -
access_groups:
# Standard ACL Name.
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2
index 84e00836228..9fe10435bfc 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2
+++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2
@@ -7,6 +7,20 @@
{% if management_ssh is arista.avd.defined %}
### Management SSH
+{% if management_ssh.authentication is arista.avd.defined %}
+
+#### Authentication Settings
+
+| Authentication protocols | Empty passwords |
+| ------------------------ | --------------- |
+{% if management_ssh.authentication.protocols is arista.avd.defined %}
+{% set protocols = management_ssh.authentication.protocols | join(", ") %}
+{% else %}
+{% set protocols = 'keyboard-interactive, public-key' %}
+{% endif %}
+{% set empty_passwords = management_ssh.authentication.empty_passwords | arista.avd.default('auto') %}
+| {{ protocols }} | {{ empty_passwords }} |
+{% endif %}
{% if management_ssh.access_groups is arista.avd.defined %}
#### IPv4 ACL
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2
index b0181d59a56..421217afdc6 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2
+++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2
@@ -30,12 +30,18 @@ management ssh
{% if management_ssh.idle_timeout is arista.avd.defined %}
idle-timeout {{ management_ssh.idle_timeout }}
{% endif %}
+{% if management_ssh.authentication.protocols is arista.avd.defined %}
+ authentication protocol {{ management_ssh.authentication.protocols | join(" ") }}
+{% endif %}
{% if management_ssh.connection.limit is arista.avd.defined %}
connection limit {{ management_ssh.connection.limit }}
{% endif %}
{% if management_ssh.connection.per_host is arista.avd.defined %}
connection per-host {{ management_ssh.connection.per_host }}
{% endif %}
+{% if management_ssh.authentication.empty_passwords is arista.avd.defined %}
+ authentication empty-passwords {{ management_ssh.authentication.empty_passwords }}
+{% endif %}
{% if management_ssh.client_alive.interval is arista.avd.defined %}
client-alive interval {{ management_ssh.client_alive.interval }}
{% endif %}
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
index 80488a6a724..1bd9f63956a 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
@@ -7189,6 +7189,25 @@ keys:
management_ssh:
type: dict
keys:
+ authentication:
+ type: dict
+ keys:
+ empty_passwords:
+ type: str
+ valid_values:
+ - auto
+ - deny
+ - permit
+ description: Permit or deny empty passwords for SSH authentication.
+ protocols:
+ type: list
+ items:
+ type: str
+ valid_values:
+ - keyboard-interactive
+ - password
+ - public-key
+ description: Allowed SSH authentication methods.
access_groups:
type: list
items:
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml
index 357cc48c098..a2ba18dc9df 100644
--- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml
+++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml
@@ -10,6 +10,19 @@ keys:
management_ssh:
type: dict
keys:
+ authentication:
+ type: dict
+ keys:
+ empty_passwords:
+ type: str
+ valid_values: ["auto", "deny", "permit"]
+ description: Permit or deny empty passwords for SSH authentication.
+ protocols:
+ type: list
+ items:
+ type: str
+ valid_values: ["keyboard-interactive", "password", "public-key"]
+ description: Allowed SSH authentication methods.
access_groups:
type: list
items: