Merge pull request #750 from flyingcircusio/PL-131620-ssh-kex-algos

ssh: only allow strong KexAlgorithms
flyingcircusio · Jul 17, 2023 · 552f529 · 552f529
2 parents a6f1148 + a64c156
commit 552f529
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/nixos/platform/default.nix b/nixos/platform/default.nix
@@ -327,6 +327,13 @@ in {
       openssh.settings = {
         KbdInteractiveAuthentication = false;
         PasswordAuthentication = false;
+        KexAlgorithms = [
+          "sntrup761x25519-sha512@openssh.com"
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+        ];
       };
 
       telegraf.enable = mkDefault true;