defaults: enable secure defaults on sshd_config

openssh/defaults.yaml

@@ -10,6 +10,26 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
+  KexAlgorithms:
+    - 'curve25519-sha256@libssh.org'
+    - 'diffie-hellman-group-exchange-sha256'
+  Ciphers:
+    - 'chacha20-poly1305@openssh.com'
+    - 'aes256-gcm@openssh.com'
+    - 'aes128-gcm@openssh.com'
+    - 'aes256-ctr'
+    - 'aes192-ctr'
+    - 'aes128-ctr'
+  MACs:
+    - 'hmac-sha2-512-etm@openssh.com'
+    - 'hmac-sha2-256-etm@openssh.com'
+    - 'hmac-ripemd160-etm@openssh.com'
+    - 'umac-128-etm@openssh.com'
+    - 'hmac-sha2-512'
+    - 'hmac-sha2-256'
+    - 'hmac-ripemd160'
+    - 'umac-128@openssh.com'
+
 sshd_config: {}
 ssh_config:
   Hosts: