SSH

Configuring KEXs

The key exchange (KEX) algorithm(s) used for key exchange can be selected in the sshd2_config file. Multiple KEXs can be specified as a comma-separated list.

KEXs                diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

The system will attempt to use the different KEX algorithms in the sequence they are specified on the line. The supported KEX algorithms are the following:

diffie-hellman-group14-sha1diffie-hellman-group15-sha384@ssh.com
diffie-hellman-group1-sha1diffie-hellman-group16-sha384@ssh.com
diffie-hellman-group14-sha224@ssh.comdiffie-hellman-group16-sha512@ssh.com
diffie-hellman-group14-sha256@ssh.comdiffie-hellman-group18-sha512@ssh.com
diffie-hellman-group15-sha256@ssh.com

Special values for this option are the following:

  • Any: allows all the KEX algorithms

  • AnyStd: allows only the KEXs mentioned in the IETF SecSh draft. They are: diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1.

  • AnyKEX: the same as Any

  • AnyStdKEX: the same as AnyStd.

The default KEX algorithms are: diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 and diffie-hellman-group14-sha256@ssh.com.