From e4e59782ca42705340d425b3cd4c33a9983af42f Mon Sep 17 00:00:00 2001
From: Joe Testa <jtesta@positronsecurity.com>
Date: Mon, 19 Nov 2018 15:01:11 -0500
Subject: [PATCH] Disabled RSA host key type (because small keys are generated
 by default), as well as ECDSA (due to suspicions of NSA-compromised
 P-curves).  Enabled only strong key exchange, cipher, and MAC algorithms. 
 See https://www.sshaudit.com/ and https://github.com/arthepsy/ssh-audit.

---
 etc/ssh/sshd_config | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
index d70083a..169a87b 100644
--- a/etc/ssh/sshd_config
+++ b/etc/ssh/sshd_config
@@ -17,7 +17,7 @@ ListenAddress ::
 
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Ciphers and keying
 #RekeyLimit default none
@@ -115,6 +115,11 @@ AcceptEnv LANG LC_*
 #Subsystem	sftp	/usr/lib/openssh/sftp-server
 Subsystem       sftp    internal-sftp
 
+# Hardened set of key exchange, cipher, and MAC algorithms, as per <https://www.sshaudit.com/hardening_guides.html>.
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
 Match User root
         AuthenticationMethods publickey