The ssh client key-exchange command configures a key exchange algorithm list on an SSH client.
The undo ssh client key-exchange command restores the default configuration.
By default, an SSH client supports Diffie-hellman-group-exchange-sha1, Diffie-hellman-group14-sha1, Diffie-hellman-group_exchange_sha256, Diffie-hellman-group14_sha256, Diffie-hellman-group15_sha512, Diffie-hellman-group16_sha512, Ecdh_sha2_nistp256, Ecdh_sha2_nistp384 and Ecdh_sha2_nistp521 key exchange algorithms.
ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 | dh_group_exchange_sha256 | dh_group14_sha256 | dh_group15_sha512 | dh_group16_sha512 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 } *
undo ssh client key-exchange
| Parameter | Description | Value |
|---|---|---|
dh_group_exchange_sha1 |
Indicates that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
dh_group14_sha1 |
Indicates that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
dh_group1_sha1 |
Indicates that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
dh_group_exchange_sha256 |
Specifies that the Diffie-hellman-group_exchange_sha256 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
dh_group14_sha256 |
Specifies that the Diffie-hellman-group14_sha256 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
dh_group15_sha512 |
Specifies that the Diffie-hellman-group15_sha512 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
dh_group16_sha512 |
Specifies that the Diffie-hellman-group16_sha512 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
ecdh_sha2_nistp256 |
Specifies that the Ecdh_sha2_nistp256 algorithm is contained in the key exchange algorithm list configured on the SSH server. This parameter is supported in V600R007C20SPC601 and later versions. |
- |
ecdh_sha2_nistp384 |
Specifies that the Ecdh_sha2_nistp384 algorithm is contained in the key exchange algorithm list configured on the SSH server. This parameter is supported in V600R007C20SPC601 and later versions. |
- |
ecdh_sha2_nistp521 |
Specifies that the Ecdh_sha2_nistp521 algorithm is contained in the key exchange algorithm list configured on the SSH server. This parameter is supported in V600R007C20SPC601 and later versions. |
- |
Usage Scenario
The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH client. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.
Precautions
The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha256, ecdh_sha2_nistp521, ecdh_sha2_nistp384, ecdh_sha2_nistp256, dh_group14_sha256, dh_group15_sha512, dh_group16_sha512, dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha256 algorithm is recommended.
The higher the security level of a key exchange algorithm, the longer the time required by the device to calculate the key. The dh_group14_sha256, dh_group15_sha512, dh_group16_sha512, and dh_group_exchange_sha256 key exchange algorithms have been added to the list in the factory configuration file.