[CentOS] sshd key exchange security

Fri Sep 11 15:35:49 UTC 2015
Alice Wonder <alice at domblogger.net>

I was reading https://weakdh.org/sysadmin.html

They also have a very interesting paper as a PDF.

Anyway it appears that most ssh servers, when using DHE key exchange, 
use the 1024-bit Oakley Group 2 and there is suspicion the NSA has done 
the pre-computations needed to passively decrypt any tls communication 
using DHE with that particular prime group.

They recommend setting the following:

KexAlgorithms curve25519-sha256 at libssh.org

I don't even see that directive in my sshd config to set it, I suppose 
it may be one that is manually added when needed but I want to verify it 
actually means something in CentOS 7 ssh.

Also I'm a little worried that maybe curve25519 is one of the curves 
that Red Hat (and thus CentOS 7) doesn't support due to patent concerns.

If it is, is there a suggestion on what curve should be used instead?