From 14ad745d53b2c823840f91ba7d2b8ab5ca82975a Mon Sep 17 00:00:00 2001
From: CompuRoot <CompuRoot@users.noreply.github.com>
Date: Fri, 19 Jan 2024 16:35:41 +0000
Subject: [PATCH] Update openssh.md

Removed vulnerable `Ciphers` and `MAC` to prevent [Terrapin attack](https://terrapin-attack.com/)
---
 docs/guidelines/openssh.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/guidelines/openssh.md b/docs/guidelines/openssh.md
index dd94981..98546ed 100644
--- a/docs/guidelines/openssh.md
+++ b/docs/guidelines/openssh.md
@@ -31,11 +31,11 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+MACs hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
 # Password based logins are disabled - only public key based logins are allowed.
 AuthenticationMethods publickey