diff --git a/roles/common/templates/sshd_config_Ubuntu-16.04.j2 b/roles/common/templates/sshd_config_Ubuntu-16.04.j2
index a58f814..688adbc 100644
--- a/roles/common/templates/sshd_config_Ubuntu-16.04.j2
+++ b/roles/common/templates/sshd_config_Ubuntu-16.04.j2
@@ -85,9 +85,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 
-# https://stribika.github.io/2015/01/04/secure-secure-shell.html
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
+# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 
 {% if ssh_allowed_users is defined and ssh_allowed_users %}