I have an openssh server where multiple machines connect to. I’m already hardening the SSH server setup to not allow old/weak crypto.
Now I would like to require post-quantum (PQ) hybrid methods (mlkem768x25519-sha256 and friends) set in KexAlgorithms for all clients.
But I do have one client which has an old version of SSH and which I can’t upgrade. So I was wondering if I can allow certrain KexAlgorithms only for certain clients on the server side?
From reading the documentation on sshd_config the Match statement does not support KexAlgorithms.
Is there another way? Or do I have to run multiple sshd instances for that?
