How do I specify the key exchange method in OpenSSH?
OpenSSH 5.7 introduced the KexAlgorithms
option:
ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
configuration to allow selection of which key exchange methods are
used by ssh(1) and sshd(8) and their order of preference.
So if you have at least that version, you should be able to pass -oKexAlgorithms=<kex_list>
to specify your preferences.
AFAICT, the OpenSSH client won't actually print out what kex algorithm was negotiated, but if you pass -vv
and look at the kex_parse_kexinit
lines, you can see the list of kex algorithms (as well as lists of encryption, MAC, etc. algorithms) supported by the client, followed by the lists supported by the server. In theory, the client will select the first algorithm in its list that also appears in the server's list (i.e., the selection favors the client's preference). So for client list a,b,c
and server list c,b
, the client chooses algorithm b
.
Related videos on Youtube
Comments
-
benf over 1 year
I'm trying to understand how OpenSSH decides what key exchange method to use. What I don't see is how to specify the method. In addition, I know every ssh server/client is required to support at least two methods:
diffie-helleman-group1-sha1
anddiffie-helleman-group14-sha1
, but its unclear to me how the server and client to choose between the two, given that each program must support both. I would think that in every casediffie-helleman-group14-sha1
is used since it has the larger MODP group.I can specify the cipher and the MAC:
ssh <user@ip> -c aes256-cbc -m hmac-sha1
but looking in the manpages I don't see an equivalent option for the key exchange. Can someone 1) tell me a way to specify this 2) explain how ssh chooses the method? (I suspect it always picks the first in the list, meaning the second is never, ever selected)
-
benf about 10 yearsThank you, I missed that in the man pages. My second question was more along the lines of 'why is there even a
-group1-
option when both group14 and group1 are REQUIRED by the RFC? The only reason I see that group1 would get selected is if someone manually specified it. -
jjlin over 8 yearsAccording to RFC 4253, Section 8.1, "[group1] MUST be supported for interoperability as all of the known implementations currently support it." So mainly to ensure backward compatibility at the time the RFC was written (2006), but group14 would be selected over group1 in any non-ancient client nowadays.