VerifyHostKeyDNS yes
HostbasedAcceptedAlgorithms -*rsa*,*sha*,*dsa*,*dss*
HostKeyAlgorithms -*rsa*,*sha*,*dsa*,*dss*
#Disable all DH, ECDH, and GSS key exchanges, only curve25519 is good
KexAlgorithms -diffie-hellman*,ecdh-sha2*,gss-g*
#Disable CBC ciphers, 128 and 192 bit ciphers, and cahacha (prevent
#terrapin attack)
Ciphers -*cbc*,*128-*,*192-*,*chacha20-poly1305*
#Disable all MD5, 64-bit, 96-bit, SHA1 MACs, and a few remaining non-ETM MACs
#Note: MACs are only used with non-GCM ciphers, this option is specified in-
#case OpenSSH adds a CTR cipher at a later date that IS affected by the MACs
#option
MACs -*-md5*,*-64*,*-96*,*-sha1*,umac-128@openssh.com,hmac-sha2-256*,hmac-sha2-512*