Openssh & Post-quantum key exchange algorithm

Rocky Linux Help & Support
1

Hello there,

I have a server running Rockylinux 8.10.

I upgraded my openssh-client on MacOS and discovered this:


** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

Theses algorithms were introduced in openssh 9.0. the openssh-server embedded in RHEL8 is 8.0p1.

We agree that there is no possibility to add a post-quantum algorithm in Rocky Linux 8 ?

Best regards !

2

Same thing with Rocky 9.7 , it has openssh-server-8.7p1-46.el9 .

Are there any plans to add the pq algorithms to Rocky 9 ?

@henri9813

Can you please add rocky-linux-9 tag to the topic .

3

If RHEL add it then yes, since Rocky is based on RHEL. If they have it we have it, if they don’t have it, we don’t either.

4

Hello @iwalker .

I understand Rocky Linux’s Team position. However. do you know if there is subject on their side ?

We can’t keep this problem, it’s “anxiety-inducing” for users.

5

You can install and use Rocky 10, which has all this quantum support already. As for Rocky 8 or 9, as I said it all depends on Red Hat. You could always open a bug with Red Hat if it bothers you so much. I don’t see a problem with it, and I certainly don’t have anxiety either.

As I’ve already explained, Rocky follows RHEL - if they have it, we have it. If they don’t, then we don’t either. This is no different for any other EL distro, be it Oracle 8 or 9, or Almalinux. Since Rocky 10 just like RHEL10 solves the problem, there is a solution for it already - upgrade. Either that, or wait and see if it gets added to EL8 or EL9.

From a quick google:

which leads to this:

TLDR:

update-crypto-policies --set DEFAULT:PQ

might work. Try it? But since that is RHEL 9.7, with EL8 you are going to have to upgrade.

I would deem post-quantum a new feature, so will not be added. Now is just bug fixes, etc. If you don’t want to upgrade from Rocky 8, well then that is not our fault. There are solutions in EL9 and EL10 to fix it - but as you can read from the above links, EL9 quantum support is limited. Full support is offered in EL10.

6

And also:

7

If you just want to remove the “anxiety inducing” warning, you can add the following line to the user’s ~/.ssh/config file:

WarnWeakCrypto no-pq-kex

Obviously this won’t fix the actual issue. Depending on your use case it may not matter, and it will prevent that scary warning from showing up and terrorizing your users.

1 Like
8

Hello all,

First, let me “clarify one point”, the anxity, is not mine, but our “customers” which may not be aware about this nor the real possiblity of an attack.

Second, the upgrade of Rocky linux 8 → 9 is not always possible due to some package version which don’t exist at all in newer version. For example, php 5.6 ( yes, i know, it’s VERY old, but some applications still uses it, we can put them on a trash ).

For Rocky Linux 9.7, Thanks for the tips ! I’m gonna try it and test if it’s works.

9

Quantum SSH attacks aren’t currently possible anyway. Maybe in 5-20 years time. What is happening now, is preparation before it actually happens.