OpenSSH begins warning for non-PQC key exchanges

29 points by addison

addison

Once again relevant because of recent improvements to quantum computing. Should we consider moving on these warnings more quickly?

fiatjaf

Jesus, I can't think of anything more annoying.

Is there another implementation of SSH that I can use that doesn't do this?

offby1
They have a whole-ass FAQ item for this at the link: "I received a warning from ssh that directed me to this page. What should I do?"
If you are unable to update the server and/or you prefer to accept the risk of continuing to use quantum-unsafe cryptography then the warning may be silenced via the WarnWeakCrypto option in ssh_config(5). We recommend doing this selectively, for example:
```
Match host unsafe.example.com
    WarnWeakCrypto no-pq-kex
```
tomhukins

I can't think of anything more annoying

I don't believe you. I enjoy reading lobste.rs because people rarely write daft things like this.
- addison
  
  Are people really so annoyed by PQC? It's not like it reduces your security; it can only improve it, and while there is a low chance of quantum becoming viable soon, it's non-zero. I do not understand this annoyance, especially since it is so unlikely to meaningfully affect user experience at all.
  - bitshift
    
    I imagine it's less about PQC itself, and more about "Thing that used to work one way, suddenly started working another way without my permission."
    
    Not trying to knock PQC (it is important!) or folks' reactions (it is annoying!), just trying to draw a distinction between the change's reaction versus its merits.
- mattus
  
  I see this as a good thing as it prompted me to update/upgrade my openwrt instances, something I'd been slacking on. I'm guessing this is mostly annoying for accessing older more enterprise-y systems?
- lilac
  
  I could list several hundred more annoying things off the top of my head
- hoistbypetard
  
  OpenSSH doesn't do this if you configure it according to the instructions from the very link you're commenting on. If it were me, I'd put it under a Match host directive in my config, though.
ine

I've had this happen for a while now (few weeks? a bit over a month?) using a debian 14 pc to connect to a debian 11 host. its so f annoying.