backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8
Theo de Raadt
deraadt at openbsd.org
Wed Oct 8 03:39:30 AEDT 2025
Sam James <sam at gentoo.org> wrote:
> Damien Miller <djm at mindrot.org> writes:
>
> > Hi,
> >
> > I have just made a series of commits to the stable branches of portable
> > OpenSSH versions 8.9 through 9.8 to enable the "sntrup761x25519-sha512"
> > key agreement algorithm.
> >
> > This algorithm is the IANA-allocated name for the existing post-quantum
> > algorithm "sntrup761x25519-sha512 at openssh.com". Apart from the name,
> > "sntrup761x25519-sha512" is completely identical and it was only a
> > trivial change to enable the new standard name as an additional
> > alias.
> >
> > This key exchange algorithm is widely deployed under the exiting
> > "@openssh.com" vendor extension name, but is in the final stages of
> > standarisation[1] by the IETF under the new IANA-allocated name.
> >
> > We have backported the new name to past OpenSSH versions to make it
> > as easy as possible for downstream maintainers, especially though who
> > maintain LTS OS distributions to include it in their releases.
> >
> > Supporting both names will maximise the universe of software that will
> > automatically use a post-quantum safe key agreement scheme. We believe
> > this is an important step to reduce the risk of "store now, decrypt
> > later" attacks.
> >
> > If you are a maintainer for OpenSSH in a LTS operating system, please
> > consider including this change, cherrypicked from the relevant branch
> > for the OpenSSH release you ship (e.g. from the V_9_0 branch for
> > OpenSSH 9.0). Please let me know if there is anything I can do to
> > assist.
> >
> > For more information on OpenSSH's integration of post-quantum
> > cryptography, please take a look at http://openssh.com/pq.html
>
> Is it worth linking to this ML post / referencing the backports on
> branches? I expect to have to link this to a bunch of service providers
> and it may help them lobby their distributions if it's on a convenient
> page already linked from the warning.
The openssh.com/pq.html web page is very much "user-facing", and not
focused on the downstream development teams. We want to avoid the
tl;dr effect.
More information about the openssh-unix-dev
mailing list