-
-
Notifications
You must be signed in to change notification settings - Fork 203
Arch
joe81tx edited this page Dec 29, 2025
·
5 revisions
Tested against:
- OpenSSH 10.2
By default Arch does not enable the ssh server. If you already have it enabled you can skip the first step and proceed to the printf command.
sudo systemctl enable sshd --now
printf "KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,[email protected],curve25519-sha256,[email protected]\nCiphers [email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr\nMACs [email protected],[email protected],[email protected]\nHostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\nCASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\nHostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\nPubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n" | sudo tee /etc/ssh/sshd_config.d/01-hardened-ssh.conf
sudo rm -f /etc/ssh/ssh_host_*
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
sudo systemctl restart sshd
mkdir -p -m 0700 ~/.ssh; printf "\nHost *\n Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\n\n KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,[email protected],curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n MACs [email protected],[email protected],[email protected]\n\n HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256\n\n PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256\n" >> ~/.ssh/config