Skip to content

Key exchange

Key exchange (KEX) is how an SSH client and server agree on a shared secret. TermZ negotiates a modern set by default and lets you widen it only where you need to — so you can connect to old switches and routers without lowering the bar for every other host.

By default TermZ offers current, well-regarded algorithms:

  • Curve25519
  • ECDH over NIST P-256 / P-384 / P-521
  • DH group14 / group16

Settings → Sessions has a key-exchange picker that sets the default allowed KEX for all SSH sessions:

  • Empty (default) — TermZ offers its full interoperability set, including legacy fallbacks. Best for maximum reach.
  • Restricted — pick specific algorithms to require. This applies to every SSH session, so use it to enforce a modern-only policy.

When one legacy device needs an older algorithm, don’t loosen the global default. Instead, open that session’s edit panel and set a per-session key-exchange override. The weaker set applies only to that session; everything else keeps the stricter default.