Configuring KEXs

The key exchange (KEX) algorithm(s) used for key exchange can be selected in the sshd2_config file. Multiple KEXs can be specified as a comma-separated list.

KEXs                diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

The system will attempt to use the different KEX algorithms in the sequence they are specified on the line. The supported KEX algorithms are the following:

  • diffie-hellman-group14-sha1

  • diffie-hellman-group1-sha1

  • diffie-hellman-group14-sha224@ssh.com

  • diffie-hellman-group14-sha256@ssh.com

  • diffie-hellman-group15-sha256@ssh.com

  • diffie-hellman-group15-sha384@ssh.com

  • diffie-hellman-group16-sha384@ssh.com

  • diffie-hellman-group16-sha512@ssh.com

  • diffie-hellman-group18-sha512@ssh.com

Special values for this option are the following:

  • Any: allows all the KEX algorithms

  • AnyStd: allows only the KEXs mentioned in the IETF-SecSh-draft. They are: diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1.

  • AnyKEX: the same as Any

  • AnyStdKEX: the same as AnyStd.

The default KEX algorithms are:

  • diffie-hellman-group14-sha1

  • diffie-hellman-group1-sha1

  • diffie-hellman-group14-sha256@ssh.com