Your browser does not allow storing cookies. We recommend enabling them.

SSH

Configuring KEXs

The key exchange (KEX) algorithm(s) used for key exchange can be selected in the sshd2_config file. Multiple KEXs can be specified as a comma-separated list.

KEXs     diffie-hellman-group14-sha1,diffie-hellman-group14-sha224@ssh.com

The system will attempt to use the different KEX algorithms in the sequence they are specified on the line. The supported KEX algorithms are the following:

diffie-hellman-group14-sha1diffie-hellman-group16-sha384@ssh.com
diffie-hellman-group1-sha1diffie-hellman-group16-sha512@ssh.com
diffie-hellman-group14-sha224@ssh.comdiffie-hellman-group18-sha512@ssh.com
diffie-hellman-group14-sha256@ssh.comecdh-sha2-nistp256
diffie-hellman-group15-sha256@ssh.comecdh-sha2-nistp384
diffie-hellman-group15-sha384@ssh.comecdh-sha2-nistp521

Special values for this option are the following:

  • Any: includes all supported KEX algorithms.

  • AnyStd: includes the following KEXs from the IETF SSH standards: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1.

  • AnyKEX: the same as Any.

  • AnyStdKEX: the same as AnyStd.

The default KEX algorithms are: ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256@ssh.com.


 

 
PrivX
 

 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now