backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8
Damien Miller
djm at mindrot.org
Tue Aug 12 09:42:02 AEST 2025
Hi,
I have just made a series of commits to the stable branches of portable
OpenSSH versions 8.9 through 9.8 to enable the "sntrup761x25519-sha512"
key agreement algorithm.
This algorithm is the IANA-allocated name for the existing post-quantum
algorithm "sntrup761x25519-sha512 at openssh.com". Apart from the name,
"sntrup761x25519-sha512" is completely identical and it was only a
trivial change to enable the new standard name as an additional
alias.
This key exchange algorithm is widely deployed under the exiting
"@openssh.com" vendor extension name, but is in the final stages of
standarisation[1] by the IETF under the new IANA-allocated name.
We have backported the new name to past OpenSSH versions to make it
as easy as possible for downstream maintainers, especially though who
maintain LTS OS distributions to include it in their releases.
Supporting both names will maximise the universe of software that will
automatically use a post-quantum safe key agreement scheme. We believe
this is an important step to reduce the risk of "store now, decrypt
later" attacks.
If you are a maintainer for OpenSSH in a LTS operating system, please
consider including this change, cherrypicked from the relevant branch
for the OpenSSH release you ship (e.g. from the V_9_0 branch for
OpenSSH 9.0). Please let me know if there is anything I can do to
assist.
For more information on OpenSSH's integration of post-quantum
cryptography, please take a look at http://openssh.com/pq.html
-d
[1] https://datatracker.ietf.org/doc/draft-josefsson-ntruprime-ssh/
More information about the openssh-unix-dev
mailing list