From 9751d3f8e92e2ccd11777cfd50eac8afeb664964 Mon Sep 17 00:00:00 2001
From: Sven Velt <sven@velt.de>
Date: Fri, 30 Sep 2022 20:36:39 +0200
Subject: [PATCH] Use sntrup761x25519-sha512@openssh.com beginning with 8.5

---
 README.md            | 10 ++++++----
 vars/ssh_8.2.yml     | 31 +++++++++++++++++++++++++++++++
 vars/ssh_8.3.yml     |  1 +
 vars/ssh_8.4.yml     |  1 +
 vars/ssh_default.yml |  7 ++++---
 5 files changed, 43 insertions(+), 7 deletions(-)
 create mode 100644 vars/ssh_8.2.yml
 create mode 120000 vars/ssh_8.3.yml
 create mode 120000 vars/ssh_8.4.yml

diff --git a/README.md b/README.md
index d1e1440..0bfa0c8 100644
--- a/README.md
+++ b/README.md
@@ -54,11 +54,13 @@ SSH versions
 - 8.1: Suse 15.2
 - 8.2: Ubuntu 20.04 "focal"
 - 8.3:
-- 8.4: Debian 11 "bullseye", Fedora 33, Suse 15.3
-- 8.5:
-- 8.6: Fedora 34
+- 8.4: Alpine 3.13, Debian 11 "bullseye", Fedora 33, OpenSUSE 15.3/15.4
+- 8.5: (added `sntrup761x25519-sha512@openssh.com`)
+- 8.6: Alpine 3.14, Fedora 34
 - 8.7: Fedora 35
-- 8.8: Archlinux, Voidlinux
+- 8.8: Alpine 3.15, Fedora 36
+- 8.9: Ubuntu 22.04 "jammy"
+- 9.0: Archlinux, Voidlinux, Alpine 3.16, Ubuntu 22.10 "kinetic"
 
 License
 -------
diff --git a/vars/ssh_8.2.yml b/vars/ssh_8.2.yml
new file mode 100644
index 0000000..e2b1310
--- /dev/null
+++ b/vars/ssh_8.2.yml
@@ -0,0 +1,31 @@
+# 8.2: Ubuntu 20.04
+# 8.4: Debian 11 & Suse 15.3
+
+ssh_hardening_opts:
+  KexAlgorithms:
+    - curve25519-sha256
+    - curve25519-sha256@libssh.org
+    - diffie-hellman-group16-sha512
+    - diffie-hellman-group18-sha512
+    - diffie-hellman-group-exchange-sha256
+  Ciphers:
+    - chacha20-poly1305@openssh.com
+    - aes256-gcm@openssh.com
+    - aes128-gcm@openssh.com
+    - aes256-ctr
+    - aes192-ctr
+    - aes128-ctr
+  MACs:
+    - hmac-sha2-256-etm@openssh.com
+    - hmac-sha2-512-etm@openssh.com
+    - umac-128-etm@openssh.com
+  HostKeyAlgorithms:
+    - ssh-ed25519
+    - ssh-ed25519-cert-v01@openssh.com
+    - sk-ssh-ed25519@openssh.com
+    - sk-ssh-ed25519-cert-v01@openssh.com
+    - rsa-sha2-512
+    - rsa-sha2-512-cert-v01@openssh.com
+    - rsa-sha2-256
+    - rsa-sha2-256-cert-v01@openssh.com
+
diff --git a/vars/ssh_8.3.yml b/vars/ssh_8.3.yml
new file mode 120000
index 0000000..8a29ec4
--- /dev/null
+++ b/vars/ssh_8.3.yml
@@ -0,0 +1 @@
+ssh_8.2.yml
\ No newline at end of file
diff --git a/vars/ssh_8.4.yml b/vars/ssh_8.4.yml
new file mode 120000
index 0000000..8a29ec4
--- /dev/null
+++ b/vars/ssh_8.4.yml
@@ -0,0 +1 @@
+ssh_8.2.yml
\ No newline at end of file
diff --git a/vars/ssh_default.yml b/vars/ssh_default.yml
index 9d6be5d..1c314fa 100644
--- a/vars/ssh_default.yml
+++ b/vars/ssh_default.yml
@@ -2,10 +2,11 @@
 # 8.4: Debian 11 & Suse 15.3
 # 8.6: Fedora 34 (no diff in *hardened policy* to 8.4)
 # 8.7: Fedora 35 (no diff in *hardened policy* to 8.4)
-# 8.8: Arch/Void
+# 8.9: Ubuntu 22.04
 
 ssh_hardening_opts:
   KexAlgorithms:
+    - sntrup761x25519-sha512@openssh.com
     - curve25519-sha256
     - curve25519-sha256@libssh.org
     - diffie-hellman-group16-sha512
@@ -27,8 +28,8 @@ ssh_hardening_opts:
     - ssh-ed25519-cert-v01@openssh.com
     - sk-ssh-ed25519@openssh.com
     - sk-ssh-ed25519-cert-v01@openssh.com
-    - rsa-sha2-256
     - rsa-sha2-512
-    - rsa-sha2-256-cert-v01@openssh.com
     - rsa-sha2-512-cert-v01@openssh.com
+    - rsa-sha2-256
+    - rsa-sha2-256-cert-v01@openssh.com