From 6cb32faa8ce6e83434d3fb08d7e5fc8beb10dfca Mon Sep 17 00:00:00 2001
From: Price Hiller <price@orion-technologies.io>
Date: Sat, 28 Oct 2023 00:34:31 -0500
Subject: [PATCH] refactor(luna): only permit secure KexAlgos in ssh

---
 hosts/luna/modules/services/openssh.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hosts/luna/modules/services/openssh.nix b/hosts/luna/modules/services/openssh.nix
index 93424d7..212114d 100644
--- a/hosts/luna/modules/services/openssh.nix
+++ b/hosts/luna/modules/services/openssh.nix
@@ -5,6 +5,13 @@
     settings = {
       PasswordAuthentication = false;
       PermitRootLogin = "prohibit-password";
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
     };
     ports = [
       2200