kex-alg

Parameters

algorithm

Specifies the SSH KEX algorithms to use in SSH communication. The order of algorithms is important. The server compares its list to the client list in order of preference. The first algorithm in the client list is chosen when it is also supported by the server.

The algorithms in the following table are supported. You can change the preference order of cipher suites. When you enter the algorithms, use the value in the second column. The third column indicates whether the algorithm is a default algorithm.

Table 1. Supported SSH KEX algorithms in default order of preference

Algorithm	Values to enter	Is default?
curve25519-sha256@libssh.org	CURVE25519-SHA256_AT_LIBSSH.ORG	Yes
ecdh-sha2-nistp256	ECDH-SHA2-NISTP256	Yes
ecdh-sha2-nistp384	ECDH-SHA2-NISTP384	Yes
ecdh-sha2-nistp521	ECDH-SHA2-NISTP521	Yes
diffie-hellman-group-exchange-sha256	DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256	Yes

Guidelines

The kex-alg command specifies the key exchange (KEX) algorithms in the SSH client profile for SSH encryption negotiation with an SFTP server. An SSH client profile is associated with an SFTP client policy. Changes to the algorithms do not affect existing connections.

To create an SFTP client policy, use the user agent sftp-policy command.

To specify multiple algorithms, run this command for each algorithm. Adding new algorithm does not delete existing ones. The new algorithms are always appended to the list.

You can use the no kex-alg command to clear all the algorithms in the profile. When all algorithms are cleared, the default algorithms are used. The default algorithms are the same as listed in the previous table.

This command is relevant when the profile-usage command is set to sftp.