The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.
The undo ssh server key-exchange command restores the default configuration.
By default, an SSH server supports all key exchange algorithms.
ssh server key-exchange { dh_group14_sha256 | dh_group15_sha512 | dh_group16_sha512 | dh_group_exchange_sha256 }*
undo ssh server key-exchange
| Parameter | Description | Value |
|---|---|---|
dh_group14_sha256 |
Specifies that the Diffie-hellman-group14_sha256 algorithm is contained in the key exchange algorithm list configured on an SSH server. |
- |
dh_group15_sha512 |
Specifies that the Diffie-hellman-group15_sha512 algorithm is contained in the key exchange algorithm list configured on an SSH server. |
- |
dh_group16_sha512 |
Specifies that the Diffie-hellman-group16_sha512 algorithm is contained in the key exchange algorithm list configured on an SSH server. |
- |
dh_group_exchange_sha256 |
Specifies that the Diffie-hellman-group_exchange_sha256 algorithm is contained in the key exchange algorithm list configured on an SSH server. |
- |
Usage Scenario
An SSH server and a client need to negotiate a key exchange algorithm for the packets exchanged between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. After the server receives a packet from the client, the server matches the key exchange algorithm list of the client against its local list and selects the first matched key exchange algorithm. If no matched key exchange algorithms, the negotiation fails.
Precautions
The security levels of key exchange algorithms are as follows, from high to low: dh_group16_sha512, dh_group15_sha512, dh_group_exchange_sha256, and dh_group14_sha256. The system software does not support the dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1 parameters. To use the dh_group_exchange_sha1, dh_group14_sha1, or dh_group1_sha1 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters.