diff --git a/diskimage_builder/elements/openssh-server/README.rst b/diskimage_builder/elements/openssh-server/README.rst
index 7190deab..45192152 100644
--- a/diskimage_builder/elements/openssh-server/README.rst
+++ b/diskimage_builder/elements/openssh-server/README.rst
@@ -3,6 +3,10 @@ openssh-server
 ==============
 This element ensures that openssh server is installed and enabled during boot.
 
+To disable hardening of sshd configuration, you have to set
+``DIB_OPENSSH_SERVER_HARDENING`` to 0. This option will configure KexAlgorithms,
+Ciphers and MAC following good pratices on
+https://infosec.mozilla.org/guidelines/openssh
 
 Note
 ----
diff --git a/diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config b/diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config
new file mode 100755
index 00000000..ddb541ca
--- /dev/null
+++ b/diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config
@@ -0,0 +1,30 @@
+#!/bin/bash
+if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+if [ ${DIB_OPENSSH_SERVER_HARDENING:-1} -eq 1 ]; then
+    macs="MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
+    ciphers="Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+    kexalgorithms="KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+
+    if ! grep -qE "^MACs" /etc/ssh/sshd_config; then
+        sed -i "/# Ciphers and keying/a $macs" /etc/ssh/sshd_config
+    elif ! grep -qE "$macs" /etc/ssh/sshd_config; then
+        sed -i "s/^MACs.*/$macs/" /etc/ssh/sshd_config
+    fi
+
+    if ! grep -qE "^Ciphers" /etc/ssh/sshd_config; then
+        sed -i "/# Ciphers and keying/a $ciphers" /etc/ssh/sshd_config
+    elif ! grep -qE "$ciphers" /etc/ssh/sshd_config; then
+        sed -i "s/^Ciphers.*/$ciphers/" /etc/ssh/sshd_config
+    fi
+
+    if ! grep -qE "^KexAlgorithms" /etc/ssh/sshd_config; then
+        sed -i "/# Ciphers and keying/a $kexalgorithms" /etc/ssh/sshd_config
+    elif ! grep -qE "$kexalgorithms" /etc/ssh/sshd_config; then
+        sed -i "s/^KexAlgorithms.*/$kexalgorithms/" /etc/ssh/sshd_config
+    fi
+fi
diff --git a/releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml b/releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml
new file mode 100644
index 00000000..03edf3ee
--- /dev/null
+++ b/releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - a new post-install script was added in openssh-server element to ensure
+    KexAlgorithms, Ciphers and MACs for sshd_config will be configured following
+    good pratices on https://infosec.mozilla.org/guidelines/openssh. This option
+    is activated by default, users can set DIB_OPENSSH_SERVER_HARDENING to 0 to
+    disable this sshd configuration