APIM Admin security team ran a security scan and found out that we were using the following Kex Algorithm:

• diffie-hellman-group-exchange-sha1

Release : CA API Gateway 10.1

Ultimately you can edit the:

SSH Client -> /etc/ssh/ssh_config

or the SSHD Server -> /etc/ssh/sshd_config 

and put the following uncommented out statement:

KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Then you need to recycle ssh:

service sshd restart

Then you can confirm with the local command:

sshd -T | grep -i kex 

and it will list what our SSHD accepts.  

Also you can confirm this with the following nmap command:

nmap -sV -p 22 --script ssh2-enum-algos <servername>