[Bug 3881] New: Warning should mention client too

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Oct 13 15:02:54 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3881

            Bug ID: 3881
           Summary: Warning should mention client too
           Product: Portable OpenSSH
           Version: 10.2p1
          Hardware: Other
                OS: Other
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jidanni at jidanni.org

Regarding this warning:

** WARNING: connection is not using a post-quantum key exchange
algorithm.
** This session may be vulnerable to "store now, decrypt later"
attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

Sometimes it is not the "server may need to be upgraded."

Sometimes it is...

###
Thank you for contacting Dream Host support, my name is Kym. I'd be
glad                             
to help!                                                                

Sorry to hear about the issues. What's happening here is due to changes 
in your local OpenSSH client, not anything that changed on DreamHost's  
servers. The newest OpenSSH versions have tightened their security      
defaults and now warn when older ssh-rsa host keys (which use the SHA-1 
algorithm) are still cached locally. DreamHost's servers already
support                             
newer and stronger key types like ED25519 and ECDSA, but your client
will                            
continue to use the older one saved in your ~/.ssh/known_hosts file
until                            
you update it.                                                          

To resolve this, you just need to refresh the stored host key on your   
computer. Run the command ssh-keygen -R jidanni.org to remove the       
outdated key, then connect again with ssh -vv jidanni.org and accept
the                             
new ED25519 key when prompted. If you've ever connected using another   
alias, like the server's full hostname (servername.dreamhost.com),
you'll                            
want to remove that entry too. Also, check your ~/.ssh/config file and  
make sure there aren't any lines forcing old algorithms such as         
HostkeyAlgorithms +ssh-rsa.                           
###

Therefore the message needs to be enhanced.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list