From 07d8c8f0b7d343ec2e1e06334739008f82fd487e Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Thu, 20 Sep 2018 23:56:13 +0100
Subject: factory-default: Harden net-misc/openssh configuration

---
 factory-default/net-misc/openssh/etc/ssh/sshd_config | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'factory-default')

diff --git a/factory-default/net-misc/openssh/etc/ssh/sshd_config b/factory-default/net-misc/openssh/etc/ssh/sshd_config
index 8e7b4239..59f5fad9 100644
--- a/factory-default/net-misc/openssh/etc/ssh/sshd_config
+++ b/factory-default/net-misc/openssh/etc/ssh/sshd_config
@@ -10,7 +10,6 @@
 Protocol 2
 
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Facility code that is used when logging messages
@@ -25,6 +24,15 @@ LoginGraceTime 5s
 # Disable root login
 PermitRootLogin no
 
+# Available KEX (Key Exchange) algorithms
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
+
+# Available ciphers
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+
+# Available MAC (message authentication code) algorithms
+MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+
 # Check file modes and ownership of the user's files and home directory
 # before accepting login
 StrictModes yes
-- 
cgit v1.2.3