Configuring KEXs

The key exchange (KEX) algorithm(s) used for key exchange can be selected in the sshd2_config file. Multiple KEXs can be specified as a comma-separated list.

KEXs     diffie-hellman-group14-sha1,diffie-hellman-group14-sha224@ssh.com

The system will attempt to use the different KEX algorithms in the sequence they are specified on the line. The supported KEX algorithms are the following:

`diffie-hellman-group14-sha1`	`diffie-hellman-group16-sha384@ssh.com`
`diffie-hellman-group1-sha1`	`diffie-hellman-group16-sha512@ssh.com`
`diffie-hellman-group14-sha224@ssh.com`	`diffie-hellman-group18-sha512@ssh.com`
`diffie-hellman-group14-sha256@ssh.com`	`ecdh-sha2-nistp256`
`diffie-hellman-group15-sha256@ssh.com`	`ecdh-sha2-nistp384`
`diffie-hellman-group15-sha384@ssh.com`	`ecdh-sha2-nistp521`

Special values for this option are the following:

Any: includes all supported KEX algorithms.
AnyStd: includes the following KEXs from the IETF SSH standards: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1.
AnyKEX: the same as Any.
AnyStdKEX: the same as AnyStd.

The default KEX algorithms are: ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256@ssh.com.