Key Exchange Pane

Getting there

From this pane, you can enable and disable key exchange algorithms. If you enable only some of the available algorithms, you need to ensure that you select those that are supported by your client(s). The following algorithms are available:

  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-gex-sha1
  • diffie-hellman-gex-sha256
  • gss-group1-sha1 with Kerberos 5
  • gss-gex-sha1 with Kerberos 5

Secure Shell standards (RFC 4253) require all clients to support both diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1. Of these, diffie-hellman-group14-sha1 is more secure, but requires more time during the key exchange. Both diffie-hellman-gex-sha256 and diffie-hellman-gex-sha1 also improve security, and do not slow down the key exchange. However, these are not supported by all clients.

If you use GSSAPI host and user authentication, you need to enable gss-group1-sha1 and/or gss-gex-sha1, depending on your client.

The following option is also available:


Rekey interval (seconds)

Specify the interval (in seconds) after which the server initiates a new key exchange. Setting this value too low can make communication between the client and server impossible. To avoid this problem, it is recommended that you avoid specifying an interval of less than 200 seconds. Use 0 (zero) to turn off rekey requests initiated by the server. Using 0 does not prevent the client from requesting a rekey.

Related Topics

Supported Cryptographic Algorithms