From f751093f265c411f20994546916319742d94c712 Mon Sep 17 00:00:00 2001
From: Israel Villar Boillos <israel.villar@ulpgc.es>
Date: Fri, 5 Jun 2026 22:37:29 +0100
Subject: [PATCH] Add CIS Debian 13 SSH KEX and MAC algorithm options

- sshd_strong_kex.var: add cis_debian13 option with the CIS Debian 13
  approved KEX algorithms. Includes mlkem768x25519-sha256 (ML-KEM /
  CRYSTALS-Kyber post-quantum algorithm) available in OpenSSH 9.9+
  which ships with Debian 13.
- sshd_strong_macs.var: add cis_debian13 option with the CIS Debian 13
  approved MAC algorithms (identical to cis_debian12).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 linux_os/guide/services/ssh/sshd_strong_kex.var  | 1 +
 linux_os/guide/services/ssh/sshd_strong_macs.var | 1 +
 2 files changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var
index d4a78a3fe45e..2f5295003d6c 100644
--- a/linux_os/guide/services/ssh/sshd_strong_kex.var
+++ b/linux_os/guide/services/ssh/sshd_strong_kex.var
@@ -22,3 +22,4 @@ options:
     cis_ubuntu2404: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
     std_openeuler: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
     cis_debian12: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+    cis_debian13: mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var
index a0a75f544ff8..988e89ff56fa 100644
--- a/linux_os/guide/services/ssh/sshd_strong_macs.var
+++ b/linux_os/guide/services/ssh/sshd_strong_macs.var
@@ -23,3 +23,4 @@ options:
     stig_rhel9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
     stig_ol9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
     cis_debian12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+    cis_debian13: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256