Key exchange
Key exchange (KEX) is how an SSH client and server agree on a shared secret. TermZ negotiates a modern set by default and lets you widen it only where you need to — so you can connect to old switches and routers without lowering the bar for every other host.
The modern set
Section titled “The modern set”By default TermZ offers current, well-regarded algorithms:
- Curve25519
- ECDH over NIST P-256 / P-384 / P-521
- DH group14 / group16
Set a default
Section titled “Set a default”Settings → Sessions has a key-exchange picker that sets the default allowed KEX for all SSH sessions:
- Empty (default) — TermZ offers its full interoperability set, including legacy fallbacks. Best for maximum reach.
- Restricted — pick specific algorithms to require. This applies to every SSH session, so use it to enforce a modern-only policy.
Override per session
Section titled “Override per session”When one legacy device needs an older algorithm, don’t loosen the global default. Instead, open that session’s edit panel and set a per-session key-exchange override. The weaker set applies only to that session; everything else keeps the stricter default.
