openssh: added pq-kex

wiki/linux/openssh.md

@@ -10,6 +10,8 @@ This section addresses the usage of OpenSSH.
 
 To generate new ssh keys simply run `ssh-keygen -t ed25519` or
 `ssh-keygen -t rsa -b 4096`.
+For security reasons the Ed25519 is more secure, even if the key length is far smaller than its RSA
+counterpart.
 
 The keys can then be added to the authentication agent by as described in the
 [corresponding article](#adding-keys-to-authentication-agent)
@@ -173,3 +175,18 @@ kill <process-id>
 
 Files that are based on a remote server can be mounted as described in
 [the corresponding section](#mount-directory-with-sshfs) to setup complete remote development.
+
+### Specify Key Exchange Algorithms
+
+It can be useful to specify the key exchange algorithms in the OpenSSH config file `~/.ssh/config`.
+Some key exchange algorithms are more secure regarding post-quantum attacks.
+The following configuration prefers and enforces hybrid post-quantum–resistant key exchange
+algorithms (`mlkem768x25519-sha256` and  `sntrup761x25519-sha512`).
+A modern classical fallback (`curve25519-sha256`) is included for compatibility.
+This can be considered a form on
+[system hardening](/wiki/linux/system-hardening.md#specific-steps-to-harden-a-system).
+
+```
+Host *
+    KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,curve25519-sha256
+```

wiki/linux/system-hardening.md

@@ -10,3 +10,12 @@ data.
   list of security flaws of your system
 - [arch-audit](https://gitlab.archlinux.org/archlinux/arch-audit) is a tool to find vulnerabilities
   known to the [Arch](/wiki/linux/arch-linux.md) Security Team.
+
+## Specific Steps to Harden a System
+
+The following points are steps that harden a system.
+
+- For [OpenSSH](/wiki/linux/openssh.md) enable hybrid post-quantum key exchange algorithms as
+  described in the [corresponding entry](/wiki/linux/openssh.md#specify-key-exchange-algorithms).
+  Using hybrid post-quantum-safe key exchange methods reduces the risk of so called "store-now,
+  decrypt-later" attacks.