bugzilla-daemon at mindrot.org
2025-Oct-08 16:53 UTC
[Bug 3878] New: WarnWeakCrypto for non-PQ keys is suppressed if KexAlgorithms option is used
https://bugzilla.mindrot.org/show_bug.cgi?id=3878
Bug ID: 3878
Summary: WarnWeakCrypto for non-PQ keys is suppressed if
KexAlgorithms option is used
Product: Portable OpenSSH
Version: 10.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: pducklin at outlook.com
The new non-post-quantum crypto warning in sshconnect.c is
automatically suppressed if 'KexAlgorithms' is explicitly tweaked by
the user, even if the choices include a post-quantum-safe algorithm
that is not selected.
I suggest that this warning should always appear by default, and
explicitly turning off 'WarnWeakCrypto' should be required to suppress
it.
This would make any inadvertent ongoing use of non-post-quantum key
exchanges more obvious.
If this is not practicable, the ssh_config notes about the new warning
could be updated to say, "Be aware that if the 'KexAlgorithms'
option
is used, this warning will not appear even if a non-post-quantum
algorithm is ultimately chosen and 'WarnWeakCrypto' is on."
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-08 23:24 UTC
[Bug 3878] WarnWeakCrypto for non-PQ keys is suppressed if KexAlgorithms option is used
https://bugzilla.mindrot.org/show_bug.cgi?id=3878
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Yes, this is intentional for now. We're going to finesse this more as
we go.
I think the heuristic we want is to warn if options->kex_algorithms
contains a PQ KEX but one wasn't selected.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-09 13:13 UTC
[Bug 3878] WarnWeakCrypto for non-PQ keys is suppressed if KexAlgorithms option is used
https://bugzilla.mindrot.org/show_bug.cgi?id=3878 --- Comment #2 from Duck <pducklin at outlook.com> --- TBH, a command line option that explicitly and compactly lists all crypto algorithms chosen for use once the connection is established would be good. You can figure out what happened with -vv or -vvv, but it's a bit of a messy and error-prone way to do it. Encouraging (or at least making it easy for) people to check their actual crypto usage from time to time is a great way of promoting strong crypto and crypto agility. Not much point in WarnWeakCrypto if there is no simple and standard way to check the details behind the warning and thereby fix the problem solidly :-) My 2c. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-09 13:14 UTC
[Bug 3878] WarnWeakCrypto for non-PQ keys is suppressed if KexAlgorithms option is used
https://bugzilla.mindrot.org/show_bug.cgi?id=3878 --- Comment #3 from Duck <pducklin at outlook.com> --- TBH, a command line option that explicitly and compactly lists all crypto algorithms chosen for use once the connection is established would be good. You can figure out what happened with -vv or -vvv, but it's a bit of a messy and error-prone way to do it. Encouraging (or at least making it easy for) people to check their actual crypto usage from time to time is a great way of promoting strong crypto and crypto agility. Not much point in WarnWeakCrypto if there is no simple and standard way to check the details behind the warning and thereby fix the problem solidly :-) My 2c. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-09 23:13 UTC
[Bug 3878] WarnWeakCrypto for non-PQ keys is suppressed if KexAlgorithms option is used
https://bugzilla.mindrot.org/show_bug.cgi?id=3878 --- Comment #4 from Damien Miller <djm at mindrot.org> ---> TBH, a command line option that explicitly and compactly > lists all crypto algorithms chosen for use once the > connection is established would be good.That's ssh -G, e.g. [djm at desktop ~]$ ssh -G github.com | grep ^kexalgorithms kexalgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-09 23:46 UTC
[Bug 3878] WarnWeakCrypto for non-PQ keys is suppressed if KexAlgorithms option is used
https://bugzilla.mindrot.org/show_bug.cgi?id=3878
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Damien Miller from comment #4)> > TBH, a command line option that explicitly and compactly
> > lists all crypto algorithms chosen for use once the
> > connection is established would be good.
>
> That's ssh -G, e.g.
That's not exactly the same thing; that's the list of algorithms that
it will select from, not the ones that it actually selected for a given
connection.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.