remove or append a kexalgorithms or a hostkeyalgorithms in "/etc/ssh/sshd_config"

Question

I need to modify the default list of kexalgorithms or a hostkeyalgorithms in "/etc/ssh/sshd_config" by explicitly mentioning both the not required algos as well as the required ones.

http://manpages.ubuntu.com/manpages/bionic/man5/sshd_config.5.html tells:- if the specified value begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them.

For eg: I need to remove just the diffie-hellman* from the default list, so in "/etc/ssh/sshd_config" i tried these 3 syntax individually

KexAlgorithms -diffie-hellman*
KexAlgorithms -"diffie-hellman*"
KexAlgorithms "-diffie-hellman*"

However none of these syntax is working..

Answer 1

sshd does not support wildcards and you have to list them individually. Check what is default currently, e.g. in man pages or here:

sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256

Then either removes one you would like to:

KexAlgorithms -diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Or explicitely list those you would like to have

KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

You can audit your setup using ssh-audit tool.