Solution to ssh for vrf management in OS9 switch

For security reasons, also to match best practice, we suggest to put oob management interface 
into the dedicated management vrf, but some customers feedback after doing that changes, 
They get ssh or telnet failure while trying remote login to OS9 switch. 
But, before adding the management vrf, all work fine(in default vrf), no above problems. 

Key vrf settings: 

OS9# show run vrf
!
ip vrf management
 interface management
OS9#
OS9# show run int managementethernet 1/1
!
interface ManagementEthernet 1/1
 ip address 100.72.22.55/24
 no shutdown
OS9#
OS9# show run management-route
!
management route 0.0.0.0/0 100.72.22.1
OS9#

Login Authentication related configurations: 

OS9# show run
Current Configuration ...
! Version 9.14(2.11)
...<output omitted>... 
!
username dell password dell privilege 15 role sysadmin
!
aaa authentication login test local none
!
ip ssh server enable
!
line vty 0 9
 login authentication test
!
...<output omitted>... 

Ping is fine: 

C:\>ping 100.72.22.55
Pinging 100.72.22.55 with 32 bytes of data:
Reply from 100.72.22.55: bytes=32 time=244ms TTL=238
Reply from 100.72.22.55: bytes=32 time=244ms TTL=238
Reply from 100.72.22.55: bytes=32 time=244ms TTL=238
Reply from 100.72.22.55: bytes=32 time=243ms TTL=238
Ping statistics for 100.72.22.55:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 243ms, Maximum = 244ms, Average = 243ms
C:\>

SSH login failure as below (putty output): 

From OS9 user guide, we can find the answer and solution to the problem. 

Notice below difference for vrf in OS9 : 
1).

 "ip ssh server vrf"

Configure an SSH server on either a specific VRF or a management VRF. 
2).

 "ip ssh vrf" 

 Specify a VRF for an outgoing SSH connections. 

The first command is to set switch as ssh server in a specific VRF or a management VRF, or set to any to support all vrf. 
So it's to set in which vrf, the switch will provide ssh service to others. (switch is target, like servers)

The second command is to set which vrf used when you do ssh from switch, means the ssh session locates in which vrf. 
So it's used for swtich-itself when doing ssh from switch to other devices. (switch is initiator)

After we figure the above out, we should know that there is one command lost: 

OS9(conf)# ip ssh server vrf ?

any                     Enable server access from any VRF      ---// set to support any vrf, 
management              Enable server in management VRF      ---// set to support vrf management only, 

OS9(conf)#

That's the reason why fail to login switch by ssh after setting vrf, key configuration lost.

After knowing the reason, we can fix it by adding the following configuration: 
OS9(conf)# ip ssh server vrf any   ---// set switch to provide ssh service in all vrf, 

Then, SSH login successful as below (putty output):