Plans for post-quantum-secure signature algorithms for host and public key authentication?

[Aaron Rainbolt]

I'm currently writing some documentation for a work project, and part
of my job has involved doing a (somewhat over my head) deep dive into
the security properties of various cryptography-related algorithms in
OpenSSH and which ones are likely to be superior to others in various
scenarios. In the process of doing this, I noted that it seems OpenSSH
supports post-quantum-secure algorithms for symmetric encryption, key
exchange, and message authentication codes, but notably lacks a
post-quantum-secure signature algorithm for host key and public key
authentication. As I understand it (keep in mind I am not a
cryptographer by any means), this means that an attacker with a
sufficiently powerful quantum computer could, in the future, MITM SSH
connections or spoof trusted client devices.

Are there any plans to integrate a post-quantum-secure signature
algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)?

(Unrelated, the "About openssh-unix-dev" page [1] claims that the list
is open for non-subscribers, but my first attempt at sending this was
rejected with "Posting by non-members to openssh-unix-dev at mindrot.org
is currently disabled, sorry." It might be useful to correct the page
so people know to subscribe first.)

[1] https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/c6704789/attachment.asc>