https://bugzilla.mindrot.org/show_bug.cgi?id=3878
Bug ID: 3878
Summary: WarnWeakCrypto for non-PQ keys is suppressed if
KexAlgorithms option is used
Product: Portable OpenSSH
Version: 10.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: [email protected]
Reporter: [email protected]
The new non-post-quantum crypto warning in sshconnect.c is
automatically suppressed if 'KexAlgorithms' is explicitly tweaked by
the user, even if the choices include a post-quantum-safe algorithm
that is not selected.
I suggest that this warning should always appear by default, and
explicitly turning off 'WarnWeakCrypto' should be required to suppress
it.
This would make any inadvertent ongoing use of non-post-quantum key
exchanges more obvious.
If this is not practicable, the ssh_config notes about the new warning
could be updated to say, "Be aware that if the 'KexAlgorithms' option
is used, this warning will not appear even if a non-post-quantum
algorithm is ultimately chosen and 'WarnWeakCrypto' is on."
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
