#!/bin/bash

set -e

. /etc/os-release
changed=0

kex_centos="\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"

kex_debian8="\nKexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256"

chiphers="\nCiphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com"

if [[ "$ID" = "centos" && "$VERSION_ID" = "7" ]]; then
	if  ! grep -q ^KexAlgorithms /etc/ssh/sshd_config ;then
		echo -e "$kex_centos" >> /etc/ssh/sshd_config
		changed=1
	fi
	if  ! grep -q ^Ciphers /etc/ssh/sshd_config ;then
		echo -e "$chiphers" >> /etc/ssh/sshd_config
		changed=1
	fi
elif [[ "$ID" = "debian" && "$VERSION_ID" = "8" ]]; then
	if  ! grep -q ^KexAlgorithms /etc/ssh/sshd_config ;then
		echo -e "$kex_debian8" >> /etc/ssh/sshd_config
		changed=1
	fi
	if  ! grep -q ^Ciphers /etc/ssh/sshd_config ;then
		echo -e "$chiphers" >> /etc/ssh/sshd_config
		changed=1
	fi
fi

if [ "$changed" -eq 1 ]; then
	systemctl reload sshd || true
fi
