KEX client and server list

The 7210 SAS supports key exchange (KEX) client and server lists. The user can add or remove the KEX client or server algorithms that the SSH application negotiates using an SSHv2 phase one handshake. The KEX list is an index list with the lower index having higher preference in the SSH negotiation. The lowest indexed algorithm in the list is negotiated first in SSH and is at the top of the negotiation list to the peer.

By default, the KEX list is empty and a hard-coded list that includes all supported algorithms in the following preference order is used:

  1. kex 200 name diffie-hellman-group16-sha512

  2. kex 210 name diffie-hellman-group14-sha256

  3. kex 215 name diffie-hellman-group14-sha1

  4. kex 220 name diffie-hellman-group-exchange-sha1

  5. kex 225 name diffie-hellman-group1-sha1

As soon as the user configures the KEX list, the 7210 SAS starts using the algorithms from the user-defined KEX list instead of the hard-coded list. To revert to the hard-coded list, the user must remove all configured KEX indexes until the list is empty.

Use the following CLI to configure the cipher or MAC server and client lists.

configure system security ssh server-kex-list kex
   kex <index> name <kex-name>
   no kex <index>

configure system security ssh client-kex-list kex
   kex <index> name <kex-name>
   no kex <index>

<index>              : [1..255]
<kex-name>           : diffie-hellman-group14-sha1| diffie-hellman-group14-sha256|
                       diffie-hellman-group16-sha512|diffie-hellman-group-exchange-
                       sha1| diffie-hellman-group1-sha1