backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8

[Sam James]

Damien Miller <djm at mindrot.org> writes:

> Hi,
>
> I have just made a series of commits to the stable branches of portable
> OpenSSH versions 8.9 through 9.8 to enable the "sntrup761x25519-sha512"
> key agreement algorithm.
>
> This algorithm is the IANA-allocated name for the existing post-quantum
> algorithm "sntrup761x25519-sha512 at openssh.com". Apart from the name,
> "sntrup761x25519-sha512" is completely identical and it was only a
> trivial change to enable the new standard name as an additional
> alias.
>
> This key exchange algorithm is widely deployed under the exiting
> "@openssh.com" vendor extension name, but is in the final stages of
> standarisation[1] by the IETF under the new IANA-allocated name.
>
> We have backported the new name to past OpenSSH versions to make it
> as easy as possible for downstream maintainers, especially though who
> maintain LTS OS distributions to include it in their releases.
>
> Supporting both names will maximise the universe of software that will
> automatically use a post-quantum safe key agreement scheme. We believe
> this is an important step to reduce the risk of "store now, decrypt
> later" attacks.
>
> If you are a maintainer for OpenSSH in a LTS operating system, please
> consider including this change, cherrypicked from the relevant branch
> for the OpenSSH release you ship (e.g. from the V_9_0 branch for
> OpenSSH 9.0). Please let me know if there is anything I can do to
> assist.
>
> For more information on OpenSSH's integration of post-quantum
> cryptography, please take a look at http://openssh.com/pq.html

Is it worth linking to this ML post / referencing the backports on
branches? I expect to have to link this to a bunch of service providers
and it may help them lobby their distributions if it's on a convenient
page already linked from the warning.

cheers,
sam