backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8
Stuart Henderson
stu at spacehopper.org
Tue Aug 12 21:53:15 AEST 2025
On 2025/08/12 09:42, Damien Miller wrote:
> We have backported the new name to past OpenSSH versions to make it
> as easy as possible for downstream maintainers, especially though who
> maintain LTS OS distributions to include it in their releases.
>
> Supporting both names will maximise the universe of software that will
> automatically use a post-quantum safe key agreement scheme. We believe
> this is an important step to reduce the risk of "store now, decrypt
> later" attacks.
>
> If you are a maintainer for OpenSSH in a LTS operating system, please
> consider including this change, cherrypicked from the relevant branch
> for the OpenSSH release you ship (e.g. from the V_9_0 branch for
> OpenSSH 9.0). Please let me know if there is anything I can do to
> assist.
Passing on a message from chatting with someone about this change -
apparently there are older Fedora/RHEL boxes which do have openssh 9.x
but don't have mlkem768x25519-sha256 enabled in default crypto-policies.
Not sure if that would be in scope for a change at this point but maybe
worth relevant maintainer/s considering if possible.
More information about the openssh-unix-dev
mailing list