diff --git a/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb b/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb
index d3b0ee374e..19177eac11 100644
--- a/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb
+++ b/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb
@@ -123,9 +123,13 @@ Subsystem	sftp	 /usr/libexec/openssh/sftp-server
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 DenyUsers admin secadmin operator
-# Filtered cipher and MAC list, defaults can be obtained by ssh -Q cipher and ssh -Q mac
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
+# using "-" should be used for cipher, MAC and kex excluded suites.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
 MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 
 # This Match block prevents Password Authentication for root user
 Match User root