backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8

[Theo de Raadt]

Stuart Henderson <stu at spacehopper.org> wrote:

> On 2025/08/12 09:42, Damien Miller wrote:
> > We have backported the new name to past OpenSSH versions to make it
> > as easy as possible for downstream maintainers, especially though who
> > maintain LTS OS distributions to include it in their releases.
> > 
> > Supporting both names will maximise the universe of software that will
> > automatically use a post-quantum safe key agreement scheme. We believe
> > this is an important step to reduce the risk of "store now, decrypt
> > later" attacks.
> > 
> > If you are a maintainer for OpenSSH in a LTS operating system, please
> > consider including this change, cherrypicked from the relevant branch
> > for the OpenSSH release you ship (e.g. from the V_9_0 branch for
> > OpenSSH 9.0). Please let me know if there is anything I can do to
> > assist.
> 
> Passing on a message from chatting with someone about this change -
> apparently there are older Fedora/RHEL boxes which do have openssh 9.x
> but don't have mlkem768x25519-sha256 enabled in default crypto-policies.
> Not sure if that would be in scope for a change at this point but maybe
> worth relevant maintainer/s considering if possible.

Yes, this is known.  Redhat has some pretty agressive policies forcing
older crypto at their varied userbase, and ship with massive downstream
changes to OpenSSH.

Thus far our arguments for progress have fallen on deaf ears, so users
need to make manual changes or they remain on non-PQ algorithms.