diff --git a/configs/sshd/sshd-pfs_config b/configs/sshd/sshd-pfs_config
index 7f48da4..235f84e 100644
--- a/configs/sshd/sshd-pfs_config
+++ b/configs/sshd/sshd-pfs_config
@@ -1,11 +1,55 @@
-# Specifies the ciphers allowed for protocol version 2.
-# The default is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,
-# arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-# aes256-cbc,arcfour
-Ciphers aes256-ctr
-
-# Specifies the available MAC (message authentication code) algorithms.
-# The default is: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,
-# hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
-# hmac-sha2-512-96
-MACs hmac-sha2-512
+# COMPATIBILITY
+# The below options are compatible with OpenSSH 6.6+, PuTTY 0.64+, and AbsoluteTelnet 9.84+ (RC10 at 2015-03-09)
+
+# Only allow secure host keys for authentication
+# No DSA (weak), no ECDSA (avoid NIST; re http://blog.cr.yp.to/20140323-ecdsa.html)
+# Drop the default-generated 2048-bit RSA key, and use the new 4096 instead
+# Re ED21159 vs RSA 4096: http://security.stackexchange.com/questions/90077/ssh-key-ed25519-vs-rsa
+# Create the 4096 key with sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa4096 < /dev/null
+HostKey /etc/ssh/ssh_host_ed25519
+HostKey /etc/ssh/ssh_host_rsa4096
+
+# Specify strong key exchange algorithms; preferrably curve25519, but allow DHG-SHA256 for compatibility
+# Curve25519 isn't using NIST curves (yay), and is immune to several side-channel attacks: http://ed25519.cr.yp.to/
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+
+# Specify strong ciphers: chacha or aes256-GCM for authenticated encryption; aes256-CTR for compatibility
+# Prefer Chacha20 (also allow strong AES): http://googleonlinesecurity.blogspot.co.nz/2014/04/speeding-up-and-strengthening-https.html
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+
+# Specify strong MAC's, preferring Encrypt-then-MAC methods; strong SHA2 for compatibility
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+# Restrict incoming connections to authenticate with Pubkey authentication only
+# Uncomment once you've created and tested your public & private keys
+# PasswordAuthentication no
+
+# Only allow members of the ssh-user group to connect to this server
+# Uncomment once you've created an ssh-user group and added expected users to the group
+# AllowGroups ssh-user
+
+# Limit the grace time for logins to as short as possible in your situation.
+# For fast connections & pubkey authentication, this can go down to ~5 seconds
+# Warning: a low grace time can make slow connections timeout before the connection is completed
+LoginGraceTime 30
+
+# Disable SSHv1
+Protocol 2
+
+# Prevent the root user from logging on remotely; helps keep the root account safe from brute-force attacks
+PermitRootLogin no
+
+# Ensures file permissions for keys etc are all OK before accepting login
+StrictModes yes
+
+# Setting Logging to VERBOSE will log key fingerprints on login; helps with access auditing!
+# From https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_server
+LogLevel VERBOSE
+
+# Using 'sandbox' mode further restricts the pre-authentication process, limiting system calls
+# See http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd/Makefile?rev=1.73&content-type=text/x-cvsweb-markup
+UsePrivilegeSeparation sandbox
+
+# Disable additional access vectors proivded by PAM
+# You COULD use PAM to provide more sophisticated security, but if you're not, just disable it
+UsePAM no