Discuss this help topic in SecureBlackbox Forum

Configure Key Exchange algorithms

SSH specification and its derivatives offer support for a number of key exchange algorithms. Depending on your circumstances you might wish to use a particular set of key exchange algorithms or enable all supported algorithms at the same time. Note that in order for a particular algorithm to be used it must be supported by both client and server parties.

Each key exchange ("KEX") algorithm is represented by a constant in SBSSHConstants(.Unit) namespace: SSH_KEX_DH_GROUP, SSH_KEX_DH_GROUP_EXCHANGE and others. Universal aliases SSH_KEX_FIRST and SSH_KEX_LAST are defined to simplify iterating over the whole set of algorithms should there support for new algorithms be added in the future.

One of the approaches to enable a particular set of algorithms is to disable all algorithms and then enable only the ones you need:


for (int i = SBSSHConstants.Unit.SSH_KEX_FIRST; i <= SBSSHConstants.Unit.SSH_KEX_LAST; i++)
    Client.set_KexAlgorithms(i, false);
Client.set_KexAlgorithms(SBSSHConstants.Unit. SSH_KEX_DH_GROUP_EXCHANGE, true);
Client.set_KexAlgorithms(SBSSHConstants.Unit. SSH_KEX_DH_GROUP_14, true);

Currently DH-, ECDH-, RSA-, and GSS-based key exchange algorithms are supported, with DH- and ECDH- providing perfect forward secrecy. Support for other algorithms is likely to be added in future.

Note that enabling all supported algorithms may sometimes cause troubles with older or buggy server software. Setting AutoAdjustCiphers property to true might help overcome this problem.

You can get the identifier of the algorithm that was actually used for exchanging keys via the component's KexAlgorithm property. You can read it any time after the authentication phase has started.

How To articles about SFTP client

Discuss this help topic in SecureBlackbox Forum