openssh.com - OpenSSH supports a number of cryptographic key agreement algorithms considered to be safe against attacks from quantum computers. We recommend that all SSH connections use these algorithms.
OpenSSH has offered post-quantum key agreement (KexAlgorithms) by default since release 9.0 (April 2022), initially via the sntrup761x25519-sha512 algorithm. More recently, in OpenSSH 9.9, we have added a second post-quantum key agreement mlkem768x25519-sha256 and it was made the new default scheme in OpenSSH 10.0 (April 2025).
To encourage migration to these stronger algorithms, OpenSSH 10.1 will warn the user when a non post-quantum key agreement scheme is selected, with the following message:
WARNING: connection is not using a post-quantum key exchange algorithm.
This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
This warning is displayed by default but may be disabled via the WarnWeakCrypto option in ssh_config(5).
Background
A quantum computer (QC) is a device capable of performing computations with information encoded as quantum states. Such a device could quickly solve particular problems that are intractable for existing "classical" computers.
The mathematics that underpin a number of cryptographic algorithms are among the problems that quantum computers are believed to be able to effectively solve. This means that a sufficiently-powerful quantum computer (a.k.a a "cryptographically-relevant" quantum computer) will be able to break them. Most affected is the cryptography used for key agreement and digital signatures, both of which play important roles in SSH.
Fortunately, quantum computers of sufficient power to break cryptography have not been invented yet. Estimates for when a cryptographically-relevant quantum computer will arrive, based on the rate of progress in the field, range from 5-20 years, with many observers expecting them to arrive in the mid-2030s.
The entire privacy of an SSH connection depends on cryptographic key agreement. If an attacker can break the key agreement then they are able to decrypt and view the entire session. The attacker need not perform this attack in real time; they may collect encrypted SSH sessions now and then decrypt them later once they have access to a quantum computer. This is referred to as a "store now, decrypt later" attack (also as "harvest now, decrypt later").
Fortunately, improved "post-quantum" cryptographic algorithms have been devised that rely on different underlying mathematical problems that are understood to not be attackable by a quantum computer.
OpenSSH has supported post-quantum key agreement to prevent "store now, decrypt later" attacks for several years and it has been the default since OpenSSH-9.0, released in 2022.
FAQ
I received a warning from ssh that directed me to this page. What should I do?
As mentioned above, OpenSSH 10.1 started warning users when connections use cryptography that is not safe against quantum computers. If you received such a warning, it means that the server you connected to did not offer one of the two post-quantum key agreement algorithms that are being standardised for the SSH protocol: mlkem768x25519-sha256 and sntrup761x25519-sha512
The ideal solution is to update the server to use an SSH implementation that supports at least one of these. OpenSSH versions 9.0 and greater support sntrup761x25519-sha512 and versions 9.9 and greater support mlkem768x25519-sha256. If your server is already running one of these versions, then check whether the KexAlgorithms option has disabled their use.
If you are unable to update the server and/or you prefer to accept the risk of continuing to use quantum-unsafe cryptography then the warning may be silenced via the WarnWeakCrypto option in ssh_config(5). We recommend doing this selectively, for example:
Match host unsafe.example.com
WarnWeakCrypto no
Quantum computers don't exist yet, why go to all this trouble?
Because of the "store now, decrypt later" attack mentioned above. Traffic sent today is at risk of decryption unless post-quantum key agreement is used.
What about signature algorithms? You said they were at risk too
Yes, most currently-used signature algorithms (including RSA and ECDSA) can be broken by a quantum computer. However, there is no risk to existing traffic in this situation (i.e. there is no analogous "store now, decrypt later"). The only urgency for signature algorithms is ensuring that all classical signature keys are retired in advance of cryptographically-relevant computers becoming a reality. OpenSSH will add support for post-quantum signature algorithms in the future.
I don't believe we'll ever get quantum computers. This is a waste of time
Some people consider the task of scaling existing quantum computers up to the point where they can tackle cryptographic problems to be practically insurmountable. This is a possibility. However, it appears that most of the barriers to a cryptographically-relevant quantum computer are engineering challenges rather than underlying physics.
If we're right about quantum computers being practical, then we will have protected vast quantities of user data. If we're wrong about it, then all we'll have done is moved to cryptographic algorithms with stronger mathematical underpinnings.
These post-quantum algorithms are new. Are we sure they aren't broken?
We're wary of this too. Though post-quantum key agreement algorithms have received a lot of concerted cryptographic attention over the last few years, it's possible that new attacks might be found.
To defend against this happening we have selected post-quantum algorithms with good safety margins. This means that even if they turn out to be weaker than expected they are still likely to be strong enough to be considered fit for purpose.
Additionally, all the post-quantum algorithms implemented by OpenSSH are "hybrids" that combine a post-quantum algorithm with a classical algorithm. For example mlkem768x25519-sha256 combines ML-KEM, a post-quantum key agreement scheme, with ECDH/x25519, a classical key agreement algorithm that was formerly OpenSSH's preferred default. This ensures that the combined, hybrid algorithm is no worse than the previous best classical algorithm, even if the post-quantum algorithm turns out to be completely broken by future cryptanalysis.
Malicious npm packages posing as Telegram bot libraries install SSH backdoors and exfiltrate data from Linux developer machines.
In the last few days, many Tor relay operators - mainly hosting relay nodes on providers like Hetzner - began receiving abuse notices.
All the abuses reported many failed SSH login attempts - part of a brute force attack - coming from their Tor relays.
Tor relays normally only transport traffic between a guard and an exit node of the Tor network, and per-se should not perform any SSH connections to internet-facing hosts, let alone performing SSH brute force attacks.
Aqua Nautilus researchers discovered a new variant of Gafgyt targeting machines with weak SSH passwords.
In this article, we analyze XZ backdoor behavior inside OpenSSH, after it has achieved RSA-related function hook.
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
This article describes a minor security flaw in the SSH authentication protocol that can lead to unexpected private infrastructure disclosure. It also provides a PoC written in Python.
Did you download Warbeast2000 or Kodiak2k from npm? If so, your SSH keys might be compromised! These packages steal keys & upload them to GitHub.
Novel Terrapin attack uses prefix truncation to downgrade the security of SSH channels.
Academic researchers developed a new attack called Terrapin that manipulates sequence numbers during the handshake process to breaks the SSH channel integrity when certain widely-used encryption modes are used.
An error as small as a single flipped memory bit is all it takes to expose a private key.
The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.
