Configure SSH Key-exchange

The SSH key-exchange specifies the algorithms used for generating one-time session keys for encryption and authentication with the SSH server.

See the online help on the device for the complete list of supported key exchange algorithms.

For backward compatibility, the string "dh-group-14" is also acceptable in place of "diffie-hellman-group-14-sha1".

  1. Enter global configuration mode. 
    device# configure terminal
  2. Use the ssh server key-exchange command to set the key exchange algorithm for the server.
    You can use multiple key exchange algorithms by separating the string names with commas. 
    device(config)# ssh server key-exchange diffie-hellman-group14-sha1,ecdh-sha2-nistp521
  3. Use the ssh client key-exchange command to set the key exchange algorithm for the client.
    You can use multiple key exchange algorithms by separating the string names with commas. 
    device(config)# ssh client key-exchange diffie-hellman-group14-sha1,ecdh-sha2-nistp521
    The following ssh server and ssh client key exchange algorithms are supported in FIPS mode:
    • ecdh-sha2-nistp256
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group14-sha1
    The following ssh server and ssh client key exchange algorithms are supported in CC mode:
    • ecdh-sha2-nistp256
    • diffie-hellman-group14-sha1
  4. Restart the SSH server from EXEC mode using the ssh-server restart command for the new configuration to take effect. 
    device(config)# exit
device# ssh-server restart
9036874-00 Rev AA