Show Contents / Index / Search

Key Exchange Pane

Getting there

From this pane, you can enable and disable key exchange algorithms. If you enable only some of the available algorithms, you need to ensure that you select those that are supported by your client(s). The following algorithms are available:

  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-gex-sha1
  • gss-group1-sha1 with Kerberos 5
  • gss-gex-sha1 with Kerberos 5

Secure Shell standards (RFC 4253) require all clients to support both diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1. Of these, diffie-hellman-group14-sha1 is more secure, but requires more time during the key exchange. diffie-hellman-gex-sha1 also improves security, and does not slow down the key exchange. However, it is not supported by all clients.

If you use GSSAPI authentication, you need to enable gss-group1-sha1 and/or gss-gex-sha1, depending on your client.

The following option is also available:


Rekey interval (seconds)

Specify the interval (in seconds) after which the server initiates a new key exchange. Setting this value too low can make communication between the client and server impossible. To avoid this problem, it is recommended that you avoid specifying an interval of less than 200 seconds. Use 0 (zero) to turn off rekey requests initiated by the server. Using 0 does not prevent the client from requesting a rekey.

Related Topics

Data Protection