- MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
-# Disable DSA host keys because they are weak (only 1024 bit) and elliptic
-# curves. I don't need certificates, therefore disable those algorithms as
-# well (*-cert-*).
- HostKeyAlgorithms ssh-rsa
+ MACs hmac-sha2-512-etm@openssh.com
+# Disable ssh-rsa which is vulnerable to recent chosen prefix attacks against
+# SHA1 [1][2]. Disable elliptic curves whose security regarding the parameters
+# is still in debate. I don't need certificates, therefore disable those
+# algorithms as well (*-cert-*).
+#
+# [1]: https://www.openssh.com/txt/release-8.2
+# [2]: "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
+# Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020)
+# https://eprint.iacr.org/2020/014.pdf
+ HostKeyAlgorithms rsa-sha2-512
+# Also disable weak algorithms for public key authentication. Use a blacklist
+# because multiple algorithms might be already in use.
+ PubkeyAcceptedKeyTypes -ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com