From 0b6e5e017ea05cfd5a05aa3dbba634adf466d9a5 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sat, 12 Apr 2025 11:28:02 -0400
Subject: [PATCH] sshd: use mlkem768x25519-sha256 for key exchange

The default was switched from sntrup761x25519-sha512@openssh.com to
mlkem768x25519-sha256 in OpenSSH 10.0. It's much faster and also matches
the new default TLS key exchange algorithm for OpenSSL 3.5.0.
---
 ssh/sshd_config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssh/sshd_config b/ssh/sshd_config
index 753f396..4ec265d 100644
--- a/ssh/sshd_config
+++ b/ssh/sshd_config
@@ -20,7 +20,7 @@ IPQoS af21 af11
 
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKeyAlgorithms ssh-ed25519
-KexAlgorithms sntrup761x25519-sha512@openssh.com
+KexAlgorithms mlkem768x25519-sha256
 PubkeyAcceptedKeyTypes ssh-ed25519
 Ciphers aes256-gcm@openssh.com
 MACs -*