From a924bcf6e7b40aaecf8fabc8d6106dc6f66743b8 Mon Sep 17 00:00:00 2001
From: jeroen <jeroen@laylo.io>
Date: Tue, 23 Aug 2022 11:29:52 +0200
Subject: [PATCH] Update SECURITY.md: mention the cipher config

---
 SECURITY.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index f08bf5d..5edd6f5 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -26,4 +26,10 @@ This Gitea instance is configured following best practices, in order to thwart l
 
 - Official commits (eg, in the laylo/docs repository) are GPG signed, and MFA is enforced for accounts with write access).
 - Backups are made every 24 hours, using a 'pull mechanism'. This server does **NOT** have access to the backup repository.
-- SSH is hardened (PKI authentication, MFA via hardware tokens, highest level ciphersuites).
+- SSH is hardened (PKI authentication, MFA via hardware tokens).
+- SSH ciphers are hardened, these are in use:
+
+	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+	HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com