Discuss this help topic in SecureBlackbox Forum

SSH: Configure Key Exchange algorithms

SSH specification and its derivatives offer support for a number of key exchange algorithms. Depending on your circumstances you might wish to use a particular set of key exchange algorithms or enable all supported algorithms at the same time. Note that in order for a particular algorithm to be used it must be supported by both client and server parties.

Each key exchange ("KEX") algorithm is represented by a constant in SBSSHConstants(.Unit) namespace: SSH_KEX_DH_GROUP, SSH_KEX_DH_GROUP_EXCHANGE and others. Universal aliases SSH_KEX_FIRST and SSH_KEX_LAST are defined to simplify iterating over the whole set of algorithms should there support for new algorithms be added in the future.

One of the approaches to enable a particular set of algorithms is to disable all algorithms and then enable only the ones you need:


for (int i = SBSSHConstants.Unit.SSH_KEX_FIRST; i <= SBSSHConstants.Unit.SSH_KEX_LAST; i++)
    Server.set_KexAlgorithms(i, false);
Server.set_KexAlgorithms(SBSSHConstants.Unit. SSH_KEX_DH_GROUP_EXCHANGE, true);
Server.set_KexAlgorithms(SBSSHConstants.Unit. SSH_KEX_DH_GROUP_14, true);

Please note that in order for RSA key exchange to be usable on the server you also need to provide an RSA private key which will be used for the key exchange (this is different from the host key). The key should be provided in addition to enabling the corresponding RSA SSH_KEX_ constants. Add your RSA key to a TElSSHMemoryKeyStorage object and assign the storage to the serverís KexKeyStorage property.

Currently DH-, ECDH-, RSA-, and GSS-based key exchange algorithms are supported, with DH- and ECDH- providing perfect forward secrecy. Support for other algorithms is likely to be added in future.

You can get the identifier of the algorithm that was actually used for exchanging keys via the component's KexAlgorithm property. You can read it any time after the authentication phase has started.

How To articles about SSH server

Discuss this help topic in SecureBlackbox Forum