The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.
The undo ssh server key-exchange command restores the default configuration.
The device starts without configuration. The key exchange algorithm is customized by the product. After the undo command is executed, the SSH server uses the dh_group_exchange_sha256 key exchange algorithms by default.
| Parameter | Description | Value |
|---|---|---|
| dh_group_exchange_sha256 |
Specifies that the Diffie-hellman-group-exchange-sha256 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group_exchange_sha1 |
Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group1_sha1 |
Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| ecdh_sha2_nistp256 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp256 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| ecdh_sha2_nistp384 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp384 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| ecdh_sha2_nistp521 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp521 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| sm2_kep |
Specifies that the SuperMemo 2 Key Exchange Protocol algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group14_sha1 |
Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group16_sha512 |
Specifies that the Diffie-hellman-group16-sha512 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
Usage Scenario
An SSH server and a client need to negotiate a key exchange algorithm for the packets exchanged between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. After the list is configured, the server matches the key exchange algorithm list of a client against the local list after receiving a packet from the client and selects the first key exchange algorithm that matches the local list. If no key exchange algorithms in the list of the client match the local list, the negotiation fails.
This command takes effect for both IPv4 and IPv6 SSH clients.
Precautions
To ensure high security, you can use the key-exchange algorithms such as dh_group16_sha512.