The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.
The undo ssh server key-exchange command restores the default configuration.
By default, an SSH server supports Diffie-hellman-group-exchange-sha1 ,Diffie-hellman-group14-sha1, Diffie-hellman-group_exchange_sha256, Diffie-hellman-group14_sha256, Diffie-hellman-group15_sha512, Diffie-hellman-group16_sha512, Ecdh_sha2_nistp256, Ecdh_sha2_nistp384 and Ecdh_sha2_nistp521 key exchange algorithms.
ssh server key-exchange { dh_group_exchange_sha1 | dh_group_exchange_sha256 | dh_group1_sha1 | dh_group14_sha1 | dh_group14_sha256 | dh_group15_sha512 | dh_group16_sha512 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 } *
undo ssh server key-exchange
| Parameter | Description | Value |
|---|---|---|
dh_group_exchange_sha1 |
Indicates that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
dh_group_exchange_sha256 |
Indicates that the Diffie-hellman-group_exchange_sha256 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
dh_group1_sha1 |
Indicates that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
dh_group14_sha1 |
Indicates that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
dh_group14_sha256 |
Indicates that the Diffie-hellman-group14_sha256 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
dh_group15_sha512 |
Indicates that the Diffie-hellman-group15_sha512 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
dh_group16_sha512 |
Indicates that the Diffie-hellman-group16_sha512 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
ecdh_sha2_nistp256 |
Specifies that the Ecdh_sha2_nistp256 algorithm is contained in the key exchange algorithm list configured on the SSH server. This parameter is supported in V600R007C20SPC601 and later versions. |
- |
ecdh_sha2_nistp384 |
Specifies that the Ecdh_sha2_nistp384 algorithm is contained in the key exchange algorithm list configured on the SSH server. This parameter is supported in V600R007C20SPC601 and later versions. |
- |
ecdh_sha2_nistp521 |
Specifies that the Ecdh_sha2_nistp521 algorithm is contained in the key exchange algorithm list configured on the SSH server. This parameter is supported in V600R007C20SPC601 and later versions. |
- |
Usage Scenario
An SSH server and a client need to negotiate a key exchange algorithm for the packets exchanged between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. After the list is configured, the server matches the key exchange algorithm list of a client against the local list after receiving a packet from the client and selects the first key exchange algorithm that matches the local list. If no key exchange algorithms in the list of the client match the local list, the negotiation fails.
Precautions
The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha256, ecdh_sha2_nistp521, ecdh_sha2_nistp384, ecdh_sha2_nistp256, dh_group14_sha256, dh_group15_sha512, dh_group16_sha512, dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha256 algorithm is recommended. The dh_group14_sha256, dh_group15_sha512, dh_group16_sha512, and dh_group_exchange_sha256 key exchange algorithms have been added to the list in the factory configuration file.
By default, the device does not support the undo ssh server key-exchange command and weak security algorithms such as dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. To use the undo ssh server key-exchange command and these algorithms, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.