SSH

Configuring KEXs

The key exchange (KEX) algorithm(s) used for key exchange can be selected in the sshd2_config file. Multiple KEXs can be specified as a comma-separated list.

KEXs     diffie-hellman-group14-sha1,diffie-hellman-group14-sha224@ssh.com

The system will attempt to use the different KEX algorithms in the sequence they are specified on the line. The supported KEX algorithms are the following:

diffie-hellman-group14-sha1diffie-hellman-group16-sha384@ssh.com
diffie-hellman-group1-sha1diffie-hellman-group16-sha512@ssh.com
diffie-hellman-group14-sha224@ssh.comdiffie-hellman-group18-sha512@ssh.com
diffie-hellman-group14-sha256@ssh.comecdh-sha2-nistp256
diffie-hellman-group15-sha256@ssh.comecdh-sha2-nistp384
diffie-hellman-group15-sha384@ssh.comecdh-sha2-nistp521

Special values for this option are the following:

  • Any: includes all supported KEX algorithms.

  • AnyStd: includes the following KEXs from the IETF SSH standards: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1.

  • AnyKEX: the same as Any.

  • AnyStdKEX: the same as AnyStd.

The default KEX algorithms are: ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256@ssh.com.