Damien Miller
2025-Aug-11 23:42 UTC
backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8
Hi, I have just made a series of commits to the stable branches of portable OpenSSH versions 8.9 through 9.8 to enable the "sntrup761x25519-sha512" key agreement algorithm. This algorithm is the IANA-allocated name for the existing post-quantum algorithm "sntrup761x25519-sha512 at openssh.com". Apart from the name, "sntrup761x25519-sha512" is completely identical and it was only a trivial change to enable the new standard name as an additional alias. This key exchange algorithm is widely deployed under the exiting "@openssh.com" vendor extension name, but is in the final stages of standarisation[1] by the IETF under the new IANA-allocated name. We have backported the new name to past OpenSSH versions to make it as easy as possible for downstream maintainers, especially though who maintain LTS OS distributions to include it in their releases. Supporting both names will maximise the universe of software that will automatically use a post-quantum safe key agreement scheme. We believe this is an important step to reduce the risk of "store now, decrypt later" attacks. If you are a maintainer for OpenSSH in a LTS operating system, please consider including this change, cherrypicked from the relevant branch for the OpenSSH release you ship (e.g. from the V_9_0 branch for OpenSSH 9.0). Please let me know if there is anything I can do to assist. For more information on OpenSSH's integration of post-quantum cryptography, please take a look at http://openssh.com/pq.html -d [1] https://datatracker.ietf.org/doc/draft-josefsson-ntruprime-ssh/
Theo de Raadt
2025-Aug-12 04:40 UTC
backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8
Damien Miller <djm at mindrot.org> wrote:> Hi, > > I have just made a series of commits to the stable branches of portable > OpenSSH versions 8.9 through 9.8 to enable the "sntrup761x25519-sha512" > key agreement algorithm. > > This algorithm is the IANA-allocated name for the existing post-quantum > algorithm "sntrup761x25519-sha512 at openssh.com". Apart from the name, > "sntrup761x25519-sha512" is completely identical and it was only a > trivial change to enable the new standard name as an additional > alias.It's been pointed out there are some lazy people :-) So this is the tiny change to pickup: https://github.com/openssh/openssh-portable/commit/ffdbae4c0201d42bfa1f5c5e9c21454d10795491 That probably patches into most of the versions above 8.9 or you can find the exact patch you need.
Colin Watson
2025-Aug-12 10:33 UTC
backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8
On Tue, Aug 12, 2025 at 09:42:02AM +1000, Damien Miller wrote:>If you are a maintainer for OpenSSH in a LTS operating system, please >consider including this change, cherrypicked from the relevant branch >for the OpenSSH release you ship (e.g. from the V_9_0 branch for >OpenSSH 9.0). Please let me know if there is anything I can do to >assist.I was going to do this for Debian 12 (bookworm) which is the only affected Debian release, but then realized that I already did it in December 2024 and forgot about it. :-) https://bugs.debian.org/1088873 Any reason you didn't include the documentation changes from https://anongit.mindrot.org/openssh.git/commit/?id=aee54878255d71bf93aa6e91bbd4eb1825c0d1b9 as well? Encouraging distributors to keep that in sync seems like a good idea (and when I cherry-picked the new alias into Debian I included the documentation changes). Thanks, -- Colin Watson (he/him) [cjwatson at debian.org]
Stuart Henderson
2025-Aug-12 11:53 UTC
backporting sntrup761x25519-sha512 key exchange to OpenSSH 8.9-9.8
On 2025/08/12 09:42, Damien Miller wrote:> We have backported the new name to past OpenSSH versions to make it > as easy as possible for downstream maintainers, especially though who > maintain LTS OS distributions to include it in their releases. > > Supporting both names will maximise the universe of software that will > automatically use a post-quantum safe key agreement scheme. We believe > this is an important step to reduce the risk of "store now, decrypt > later" attacks. > > If you are a maintainer for OpenSSH in a LTS operating system, please > consider including this change, cherrypicked from the relevant branch > for the OpenSSH release you ship (e.g. from the V_9_0 branch for > OpenSSH 9.0). Please let me know if there is anything I can do to > assist.Passing on a message from chatting with someone about this change - apparently there are older Fedora/RHEL boxes which do have openssh 9.x but don't have mlkem768x25519-sha256 enabled in default crypto-policies. Not sure if that would be in scope for a change at this point but maybe worth relevant maintainer/s considering if possible.