VerifyHostKeyDNS yes HostbasedAcceptedAlgorithms -*rsa*,*sha*,*dsa*,*dss* HostKeyAlgorithms -*rsa*,*sha*,*dsa*,*dss* #Disable all DH, ECDH, and GSS key exchanges, only curve25519 is good KexAlgorithms -diffie-hellman*,ecdh-sha2*,gss-g* #Disable CBC ciphers, 128 and 192 bit ciphers, and cahacha (prevent #terrapin attack) Ciphers -*cbc*,*128-*,*192-*,*chacha20-poly1305* #Disable all MD5, 64-bit, 96-bit, SHA1 MACs, and a few remaining non-ETM MACs #Note: MACs are only used with non-GCM ciphers, this option is specified in- #case OpenSSH adds a CTR cipher at a later date that IS affected by the MACs #option MACs -*-md5*,*-64*,*-96*,*-sha1*,umac-128@openssh.com,hmac-sha2-256*,hmac-sha2-512*