On Fri, 20 Apr 2018, Matt Taggart wrote:
>
> Debian users wanting to drop support for the legacy crypto options
> mentioned previously in this bug can use the following:
>
> =======================================================================
> HostKeyAlgorithms ssh-ed25519-cert-...@openssh.com, ssh-ed25519,\
> ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa
>
> KexAlgorithms curve25519-sha...@libssh.org,\
> diffie-hellman-group-exchange-sha256
>
> Ciphers chacha20-poly1...@openssh.com,aes256-...@openssh.com,
> aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>
> MACs hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,\
> umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,\
> umac-...@openssh.com
> =======================================================================
There's also another way to do it (see `man 5 ssh{,d}_config'):
If the specified value begins with a '-' character, then the
specified methods (including wildcards) will be removed from the
default set instead of replacing them.
introduced in version 7.5,
upstream commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59.
Note: all excluded values must be given on one line; example:
KexAlgorithms -diffie-hellman-group14-sha1,ecdh-sha2-nistp*
Cheers,
--
Cristian
