Your browser does not allow storing cookies. We recommend enabling them.


Host Keys

To enable elliptic curve host keys for Tectia Client, add the ECDSA host-key algorithms (remove any algorithms you do not wish to allow) within the <hostkey-algorithms> element below any <kexs> element of your ssh-broker-config.xml. If the <kexs> section does not exist, you can place the <hostkey-algorithms> element above the <authentication-methods> element.


  <hostkey-algorithm name="ecdsa-sha2-nistp256" />
  <hostkey-algorithm name="ecdsa-sha2-nistp384" />
  <hostkey-algorithm name="ecdsa-sha2-nistp521" />
  <hostkey-algorithm name="ssh-dss" />
  <hostkey-algorithm name="ssh-rsa" />
  <hostkey-algorithm name="" />
  <hostkey-algorithm name="" />
  <hostkey-algorithm name="x509v3-sign-dss" />
  <hostkey-algorithm name="x509v3-sign-rsa" />
  <hostkey-algorithm name="" />
  <hostkey-algorithm name="" />


To enable ECDSA host keys for X.509, add also the following hostkey-algorithm names: x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521.

A test connection will look like this (the –vv option was used for basic debug and some noise was removed from the output):

$ sshg3 -vv root@ 
2015-08-24 15:40:28: 6200 Broker_tcp_connect, Dst:, Dst Port: 22,  
Src Port: 49189, Local username: johnd 
2015-08-24 15:40:28: 1002 Algorithm_negotiation_success, 
"kex_algorithm=diffie-hellman-group1-sha1, hostkey_algorithm=ecdsa-sha2-nistp256, 
cipher=crypticore128@, , compression=none/none", 
Session-Id: 31 
2015-08-24 15:40:29: 6204 Broker_transport_connect, Dst:, 
Dst Port: 22, Remote username: root, Src Port: 49189, Local username: johnd,
Session-I d: 31 
2015-08-24 15:40:29: 1003 KEX_success, Algorithm: diffie-hellman-group1-sha1, 
Modulus: 1024 bits, Session-Id: 31, Protocol-session-Id: 
2015-08-24 15:40:29: 703 Auth_methods_available, Auth methods: 
gssapi-with-mic,password,publickey,keyboard-interactive, Session-Id: 31 
2015-08-24 15:40:29: 6303 Broker_userauth_method_failure, "publickey", 
Session-Id: 31 
 root@'s password:
Server hostkey algorithm: ecdsa-sha2-nistp256 
Server identity: 256 bit ecdsa key
SHA-1: bd6a1d45f262db8095ee5e6a2eb1c3fac7111d00
Authentication successful.
Last login: Mon Aug 24 2015 08:31:29 -0400 from 




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now