From f7f609fde9bf0ff81abe75ba74c9959edac60c9c Mon Sep 17 00:00:00 2001
From: Corbin Bartsch <me@cbarts.net>
Date: Thu, 15 Sep 2022 10:37:26 -0400
Subject: [PATCH] Update README

---
 README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/README.md b/README.md
index facf992..4265280 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,55 @@
 # ansible-role-openssh
 
 Sensible and secure defaults for OpenSSH server.
+
+## Defaults
+
+The defaults provided in this role are compliant with the [Mozilla Modern](https://infosec.mozilla.org/guidelines/openssh) for OpenSSH 6.7+
+
+If you are running this role with older versions of OpenSSH, such as version 5.3 on RHEL or CentOS 6, you will need to override the defaults elsewhere (i.e. in your `group_vars` or `host_vars`). Below are a few Mozzila recommendations.
+
+### Mozilla Modern
+This is the default in this role.
+
+```yaml
+ssh_kexalgorithms:
+  - curve25519-sha256@libssh.org
+  - ecdh-sha2-nistp521
+  - ecdh-sha2-nistp384
+  - ecdh-sha2-nistp256
+  - diffie-hellman-group-exchange-sha256
+
+ssh_ciphers:
+  - chacha20-poly1305@openssh.com
+  - aes256-gcm@openssh.com
+  - aes128-gcm@openssh.com
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr
+
+ssh_macs:
+  - hmac-sha2-512-etm@openssh.com
+  - hmac-sha2-256-etm@openssh.com
+  - umac-128-etm@openssh.com
+  - hmac-sha2-512
+  - hmac-sha2-256
+  - umac-128@openssh.com
+```
+
+### Mozilla Intermediate
+```yaml
+ssh_hostkey_file: /etc/ssh/ssh_host_rsa_key
+ssh_hostkey_file: /etc/ssh/ssh_host_ecdsa_key
+
+ssh_kexalgorithms:
+  - diffie-hellman-group-exchange-sha256
+
+ssh_ciphers:
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr
+
+ssh_macs:
+  - hmac-sha2-512
+  - hmac-sha2-256
+```