Configuring an OpenSSH Server to Use the Key Exchange Methods Allowed by Command Central

By default, Command Central 10.7 and higher uses strong key exchange methods that meet the current security requirements for SSH connections. Command Central allows the following key exchange methods (listed in order of priority): diffie-hellman-group14-sha256 (highest), diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha1 (lowest).

Only when required by the environment, you can also configure Command Central to allow the following key exchange methods, which are disabled by default, because they are weak:

  • diffie-hellman-group1-sha1

  • diffie-hellman-group-exchange-sha1

For details about how to enable these additional key exchange methods in Command Central, see the Command Central Help.

If the OpenSSH server is not configured to use any of the key exchange methods allowed by Command Central, you can update the server configuration to accept one or more of the allowed methods.

To update the list of key exchange methods on the OpenSSH server:

  1. Locate the configuration file of the OpenSSH server.

    By default, the configuration file is located in the following directory:

    • C:\ProgramData\SSH\sshd_config on machines running on Windows

    • /etc/ssh/sshd_config on machines running on UNIX

  2. Open the configuration file as root (UNIX) or Administrator (Windows).

  3. Add one of the following lines:

    • To add key exchange methods to the default server list:

      
      KexAlgorithms +<key_exchange_method1>,<key_exchange_method2>,...
      
      
    • To replace the key exchange methods in the default server list with the methods allowed by Command Central:

      
      KexAlgorithms <key_exchange_method1>,<key_exchange_method2>,...
      
      

    Where <key_exchange_method1>,<key_exchange_method2>,... is a comma-separated list of the key exchange methods to add to the OpenSSH server list.

    • To remove key exchange methods from the default server list:

      
      KexAlgorithms -<key_exchange_method3>,<key_exchange_method4>,...
      
      
    
    

Where <key_exchange_method3>,<key_exchange_method4>,... is a comma-separated list of the key exchange methods to remove from the OpenSSH server list.

  1. Save the file and restart OpenSSH:

    • On a Linux machine, run the following command to restart the SSH daemon:
    
    systemctl restart sshd
    
    
    • On a Windows machine, restart the OpenSSH service.

Example:

To add the “diffie-hellman-group18-sha512” key exchange method, include the following line in the sshd_config* file of the OpenSSH server:


KexAlgorithms +diffie-hellman-group18-sha512

Save the file and restart OpenSSH.