< Home

ssh server dh-exchange min-len

Function

The ssh server dh-exchange min-len command configures the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

The undo ssh server dh-exchange min-len command restores the default minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

By default, the minimum key length supported is 1024 bytes.

Format

ssh server dh-exchange min-len min-len

undo ssh server dh-exchange min-len

Parameters

Parameter Description Value

min-len

Specifies the minimum Diffie-hellman-group-exchange key length supported on the SSH server.

The value can be either 1024, 2048 or 3072, in bytes.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The Diffie-hellman-group-exchange key of 1024 bytes poses security risks. If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bytes, run the ssh server dh-exchange min-len command to set the minimum key length to 2048 bytes to improve security.

Precautions

Security risks exist if the minimum Diffie-hellman-group-exchange key length is less than 2048 bytes. You are advised to set the minimum key length to 2048 bytes.

In V200R019C00 and later versions, when the device starts with the default configurations, it automatically performs the following configurations and saves the configurations to the configuration file:
  • Run the ssh server dh-exchange min-len 2048 command to set the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client to 2048 bytes.
  • Run the ssh server cipher aes256_ctr aes128_ctr command to configure CTR encryption algorithms for an SSH server.
  • Run the ssh server hmac sha2_256 command to configure the HMAC SHA2_256 algorithm for an SSH server.
  • Run the ssh client cipher aes256_ctr aes128_ctr command to configure CTR encryption algorithms for an SSH client.
  • Run the ssh client hmac sha2_256 command to configure the HMAC SHA2_256 algorithm for an SSH client.

Example

# Set the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client to 2048 bytes.

<HUAWEI> system-view
[HUAWEI] ssh server dh-exchange min-len 2048
Parent Topic: User Login Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >