openssh.com/pq.html: warning even without explicit kex config?
Stuart Henderson
stu at spacehopper.org
Sun Oct 12 07:13:33 AEDT 2025
On 2025/10/11 19:19, SCOTT FIELDS via openssh-unix-dev wrote:
> What is the exact warning you’re getting?
the only warning which refers to pq.html is this one
static void
warn_nonpq_kex(void)
{
logit("** WARNING: connection is not using a post-quantum key exchange algorithm.");
logit("** This session may be vulnerable to \"store now, decrypt later\" attacks.");
logit("** The server may need to be upgraded. See https://openssh.com/pq.html");
}
the warning is currently disabled if you set KexAlgorithms in config
to anything other than the default, or if you set WarnWeakCrypto to
'no' or 'no-pq-kex'.
More information about the openssh-unix-dev
mailing list