post-quantum warning WarnWeakCrypto=yes vs KexAlgorithms

Mon Mar 2 00:39:06 AEDT 2026

Hi,

the post-quantum warning is currently silenced, if the KexAlgorithms are 
set/modified, e.g. system-wide, in the user-specific config file(s) or 
directly as option on the command line, even if WarnWeakCrypto is 
explicitly set to "yes" as far as I understand. See sshconnect.c:

> if (!options.kex_algorithms_set && [...]

This seems bad to me, as I'd like to modify the default KexAlgorithms 
set, while still getting the warning by default. Setting a more strict 
set should not be that uncommon? And I don't think it's unreasonable, 
that the default set contains both post-quantum and non-pq algorithms, 
why should the usage of KexAlgorithms silence the warning in this case?

I would assume, that the intention was more to silence the warning, if 
KexAlgorithms is set for a single host as a shortcut, that would seem 
more reasonable, however I'd say even then the warning should be shown, 
if WarnWeakCrypto is explicitly set to "yes".

Therefore, some possible solutions:

1. Ignore KexAlgorithms regarding the warning. (If you don't want to see 
the warning, use WarnWeakCrypto as documented.)

2. When KexAlgorithms is set, change WarnWeakCrypto default from "yes" 
to "no-pq-kex", so that one can still override it to "yes". (Less 
impact, but it also means, that everyone using KexAlgorithms to modify 
the default set will not see the warning by default, not sure if that's 
a good thing. Also more complicated.)

Furthermore:

* I've not found any documentation regarding this behavior, e.g. nothing 
in the man page. Maybe I've missed it, but in case you want to keep it, 
it should be documented.

* The https://www.openssh.org/pq.html FAQ seems to be misleading: "If 
your server is already running one of these versions, then check whether 
the KexAlgorithms option has disabled their use." implies, that you can 
see the warning with KexAlgorithms in use, but you can't, right?

Thanks,
Tristan