SR OS supports KEX client and server lists. The user can remove or add the needed KEX client/server algorithms to be negotiated using an SSHv2 phase one handshake. The list is an index list with the lower index having higher preference in the SSH negotiation. The lowest index algorithm in the list will be negotiated first in SSH and will be on top of the negotiation list to the peer.
By default the KEX list is empty and this hard-coded list with all supported algorithms and the following preference is used:
kex 200 name diffie-hellman-group16-sha512
kex 210 name diffie-hellman-group14-sha256
kex 215 name diffie-hellman-group14-sha1
kex 220 name diffie-hellman-group-exchange-sha1
kex 225 name diffie-hellman-group1-sha1
As soon as any algorithm is configured in the KEX list, the SR OS starts using the user-defined KEX list instead of the hard-coded list. To go back to the hard-coded list, the user must remove all configured KEX indexes until the list is empty.
The CLI used is inline with cipher/mac server/client list and is as follow:
configure system security ssh server-kex-list kex
kex <index> name <kex-name>
no kex <index>
configure system security ssh client-kex-list kex
kex <index> name <kex-name>
no kex <index>
<index> : [1..255]
<kex-name> : diffie-hellman-group14-sha1| diffie-hellman-group14-sha256|
diffie-hellman-group16-sha512|
diffie-hellman-group-exchange-sha1| diffie-hellman-group1-sha1