Add mlkem768x25519-sha256 from SSH 9.9

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Changelog
 
-## [10.5.0](https://github.com/dev-sec/ansible-collection-hardening/tree/10.5.0) (2025-12-14)
+## [10.5.0](https://github.com/dev-sec/ansible-collection-hardening/tree/10.5.0) (2025-12-23)
 
 [Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/10.4.0...10.5.0)
 
@@ -14,6 +14,7 @@
 
 **Merged pull requests:**
 
+- chore\(deps\): update ansible/ansible-lint digest to a2bc8b8 [\#924](https://github.com/dev-sec/ansible-collection-hardening/pull/924) ([renovate[bot]](https://github.com/apps/renovate))
 - chore\(deps\): update actions/setup-python digest to 83679a8 [\#920](https://github.com/dev-sec/ansible-collection-hardening/pull/920) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] ([renovate[bot]](https://github.com/apps/renovate))
 - chore\(deps\): update actions/checkout action to v6 [\#919](https://github.com/dev-sec/ansible-collection-hardening/pull/919) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] ([renovate[bot]](https://github.com/apps/renovate))
 - fix: replace deprecated community.general.yaml callback plugin [\#918](https://github.com/dev-sec/ansible-collection-hardening/pull/918) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] ([Normo](https://github.com/Normo))

roles/ssh_hardening/tasks/crypto_kex.yml

@@ -18,3 +18,8 @@
   ansible.builtin.set_fact:
     ssh_kex: "{{ ssh_kex_85_default }}"
   when: sshd_version is version('8.5', '>=')
+
+- name: Set kex according to openssh-version if openssh >= 9.9
+  ansible.builtin.set_fact:
+    ssh_kex: "{{ ssh_kex_99_default }}"
+  when: sshd_version is version('9.9', '>=')

roles/ssh_hardening/vars/main.yml

@@ -52,3 +52,9 @@ ssh_kex_85_default:
   - sntrup761x25519-sha512@openssh.com
   - curve25519-sha256@libssh.org
   - diffie-hellman-group-exchange-sha256
+
+ssh_kex_99_default:
+  - mlkem768x25519-sha256
+  - sntrup761x25519-sha512@openssh.com
+  - curve25519-sha256@libssh.org
+  - diffie-hellman-group-exchange-sha256