services.openssh.settings.KexAlgorithms

Allowed key exchange algorithms

Uses the lower bound recommended in both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Type

null or (list of string)

Default

[
  "mlkem768x25519-sha256"
  "sntrup761x25519-sha512"
  "sntrup761x25519-sha512@openssh.com"
  "curve25519-sha256"
  "curve25519-sha256@libssh.org"
  "diffie-hellman-group-exchange-sha256"
]

Declared

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>