diff --git a/markbase-core/src/ssh_server/kex.rs b/markbase-core/src/ssh_server/kex.rs
index 682767a..9c42931 100644
--- a/markbase-core/src/ssh_server/kex.rs
+++ b/markbase-core/src/ssh_server/kex.rs
@@ -44,8 +44,8 @@ impl KexProposal {
     pub fn server_default() -> Self {
         // 参考OpenSSH KEX_SERVER定义
         Self {
-            // 密钥交换算法：优先Curve25519（推荐）
-            kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256".to_string(),
+            // 密钥交换算法：优先Curve25519（推荐） + strict KEX extension
+            kex_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com".to_string(),
             
             // 主机密钥算法：优先Ed25519
             server_host_key_algorithms: "ssh-ed25519,rsa-sha2-256,rsa-sha2-512".to_string(),
diff --git a/markbase-core/src/ssh_server/packet.rs b/markbase-core/src/ssh_server/packet.rs
index e12f788..a9ad185 100644
--- a/markbase-core/src/ssh_server/packet.rs
+++ b/markbase-core/src/ssh_server/packet.rs
@@ -15,6 +15,7 @@ pub enum PacketType {
     SSH_MSG_DEBUG = 4,
     SSH_MSG_SERVICE_REQUEST = 5,
     SSH_MSG_SERVICE_ACCEPT = 6,
+    SSH_MSG_EXT_INFO = 7,
     SSH_MSG_KEXINIT = 20,
     SSH_MSG_NEWKEYS = 21,
     
@@ -175,6 +176,7 @@ impl SshPacket {
             4 => Ok(PacketType::SSH_MSG_DEBUG),
             5 => Ok(PacketType::SSH_MSG_SERVICE_REQUEST),
             6 => Ok(PacketType::SSH_MSG_SERVICE_ACCEPT),
+            7 => Ok(PacketType::SSH_MSG_EXT_INFO),
             20 => Ok(PacketType::SSH_MSG_KEXINIT),
             21 => Ok(PacketType::SSH_MSG_NEWKEYS),
             30 => Ok(PacketType::SSH_MSG_KEXDH_INIT),
diff --git a/markbase-core/src/ssh_server/server.rs b/markbase-core/src/ssh_server/server.rs
index 88880de..1f16b5d 100644
--- a/markbase-core/src/ssh_server/server.rs
+++ b/markbase-core/src/ssh_server/server.rs
@@ -190,12 +190,20 @@ fn perform_ssh_auth(
         encryption_ctx.iv_stoc.len()
     );
     
-    let encrypted_request = EncryptedPacket::read(stream, encryption_ctx, true)?;  // Reading from client, use cipher_ctos
-    info!("Received encrypted SSH_MSG_SERVICE_REQUEST");
+    // OpenSSH strict KEX: SSH_MSG_EXT_INFO may be sent before SSH_MSG_SERVICE_REQUEST
+    let mut encrypted_request = EncryptedPacket::read(stream, encryption_ctx, true)?;
+    let payload = encrypted_request.payload();
+    
+    if payload[0] == PacketType::SSH_MSG_EXT_INFO as u8 {
+        info!("Received SSH_MSG_EXT_INFO, reading next packet");
+        encrypted_request = EncryptedPacket::read(stream, encryption_ctx, true)?;
+    }
     
     let payload = encrypted_request.payload();
+    info!("Received packet type: {}", payload[0]);
+    
     if payload[0] != PacketType::SSH_MSG_SERVICE_REQUEST as u8 {
-        return Err(anyhow!("Expected SSH_MSG_SERVICE_REQUEST"));
+        return Err(anyhow!("Expected SSH_MSG_SERVICE_REQUEST, got type {}", payload[0]));
     }
     
     use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};