This caught me off-guard when I upgraded to Debian 13:
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Not today, but if your data needs to stay secret for a decade or two you must assume someone is recording the traffic now and will run Shor on it later, so the warning is nudging admins toward algorithms whose security assumptions survive that horizon. Same reason we all scrambled for forward secrecy long before laptops could brute-force 1024-bit RSA.
If you're on OpenSSH 9.4+ the pragmatic move is to whitelist one of the hybrid KEX like sntrup761x25519-sha512@openssh.com in sshd_config and call it a day. Takes 30 seconds, breaks nothing, and future proofs the logs your ops team might regret in 2035.
That message is OpenSSH nudging you toward a "hybrid" key exchange (classic ECDH plus Kyber or friends) because the discrete-log side of regular ECDH is toast the moment a practical fault-tolerant quantum machine shows up. Even though nobody has that machine today, the traffic you send now can be captured and cracked retroactively, so the project is treating it like a Y2K-style migration instead of a last-minute scramble.
This caught me off-guard when I upgraded to Debian 13:
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
But are those quantum computers already a security threat?
No idea, I just don't like warnings that weren't there before I suppose
Not today, but if your data needs to stay secret for a decade or two you must assume someone is recording the traffic now and will run Shor on it later, so the warning is nudging admins toward algorithms whose security assumptions survive that horizon. Same reason we all scrambled for forward secrecy long before laptops could brute-force 1024-bit RSA.
If you're on OpenSSH 9.4+ the pragmatic move is to whitelist one of the hybrid KEX like
sntrup761x25519-sha512@openssh.comin sshd_config and call it a day. Takes 30 seconds, breaks nothing, and future proofs the logs your ops team might regret in 2035.That message is OpenSSH nudging you toward a "hybrid" key exchange (classic ECDH plus Kyber or friends) because the discrete-log side of regular ECDH is toast the moment a practical fault-tolerant quantum machine shows up. Even though nobody has that machine today, the traffic you send now can be captured and cracked retroactively, so the project is treating it like a Y2K-style migration instead of a last-minute scramble.