Add configuration of key exchange algorithms for sshd
Add new config key "sshd.kex". The default and supported values are:
1. ecdh-sha2-nistp521
2. ecdh-sha2-nistp384
3. ecdh-sha2-nistp256
4. diffie-hellman-group-exchange-sha256
5. diffie-hellman-group-exchange-sha1,
6. diffie-hellman-group14-sha1
7. diffie-hellman-group1-sha1
With Bouncy Castle installed, all of the above are supported (previously
only 6 and 7). With JCE, only 7 is available.
Bug: Issue 3517
Change-Id: I6b44e88dc4a0ff8f693f21510aba30546bf4cd99
diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index 18a7a1f..810a690 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -3650,6 +3650,40 @@
+
By default, all supported MACs are available.
+[[sshd.kex]]sshd.kex::
++
+--
+Available key exchange algorithms. To permit multiple algorithms,
+specify multiple `sshd.kex` keys in the configuration file, one key
+exchange algorithm per key. Key exchange algorithm names starting
+with `+` are enabled in addition to the default key exchange
+algorithms, key exchange algorithm names starting with `-` are
+removed from the default key exchange algorithms.
+
+In the following example configuration, support for the 1024-bit
+`diffie-hellman-group1-sha1` key exchange is disabled while leaving
+all of the other default algorithms enabled:
+
+----
+[sshd]
+ kex = -diffie-hellman-group1-sha1
+----
+
+Supported key exchange algorithms:
+
+* `ecdh-sha2-nistp521`
+* `ecdh-sha2-nistp384`
+* `ecdh-sha2-nistp256`
+* `diffie-hellman-group-exchange-sha256`
+* `diffie-hellman-group-exchange-sha1`
+* `diffie-hellman-group14-sha1`
+* `diffie-hellman-group1-sha1`
+
+By default, all supported key exchange algorithms are available.
+Without Bouncy Castle, `diffie-hellman-group1-sha1` is the only
+available algorithm.
+--
+
[[sshd.kerberosKeytab]]sshd.kerberosKeytab::
+
Enable kerberos authentication for SSH connections. To permit
