Diffie Hellman key exchange algorithms

Vikram Mhetre vmhetre at hotmail.com
Fri Sep 21 10:35:44 EST 2007

A few questions regarding the OpenSSH support for the Diffie Hellman key exchange algorithms:

(1) Are the diffie-hellman-group-exchange-sha256",
, "diffie-hellman-group14-sha1" "diffie-hellman-group1-sha1" (as
defined in RFCs 4253 and RFC 4419) the complete list of key exchange
algorithms supported by OpenSSH?

(2) Is there a way to configure the DH key exchange algorithms to be supported? For e.g. if we want to support only "diffie-hellman-group14-sha1",
is it possible to configure it? It looks like it is possible to
configure the data encryption algorithms (like AES) using the Ciphers
keyword and the data integrity algorithms (like HMAC-SHA-1) using the
MACs keyword in the sshd_config file. However there doesn't seem to be
a keyword to configure key exchange algorithms.

(3)  The /etc/primes file is used for the "diffie-hellman-group-exchange-sha256",
"diffie-hellman-group-exchange-sha1" algorithms. However if the primes
file does not exist does the SSH connection simply fail if one of these
two algorithms is chosen during the initial part of the setup. That is,
based on RFC 4419, since the server cannot choose a suitable prime
group (p,g) from the primes file (since it does not exist) will it
simply reject the SSH connection?


Gear up for Halo® 3 with free downloads and an exclusive offer. It’s our way of saying thanks for using Windows Live™.

More information about the openssh-unix-dev mailing list