Harden SSH and enable post-quantum key exchange (sntrup761x25519-sha512) for system and Forgejo

2026-03-19 00:05:12 +01:00 · 2026-03-19 00:05:12 +01:00 · f646c091cc
commit f646c091cc
parent abf2080f91
2 changed files with 18 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -24,6 +24,20 @@
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
+      KexAlgorithms = [
+        "sntrup761x25519-sha512@openssh.com"
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+      ];
+      Ciphers = [
+        "chacha20-poly1305@openssh.com"
+        "aes256-gcm@openssh.com"
+      ];
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+      ];
    };
  };