From nobody Thu Feb 10 15:46:27 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 50E3D19B00E0 for ; Thu, 10 Feb 2022 15:50:16 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jvh5y5k8xz4T5k for ; Thu, 10 Feb 2022 15:50:14 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mips.inka.de (news@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1nIBhu-00DPKO-Gw; Thu, 10 Feb 2022 16:50:06 +0100 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.16.1/8.16.1) with ESMTP id 21AFkRTA016251 for ; Thu, 10 Feb 2022 16:46:27 +0100 (CET) (envelope-from news@lorvorc.mips.inka.de) Received: (from news@localhost) by lorvorc.mips.inka.de (8.16.1/8.16.1/Submit) id 21AFkRB4016250 for freebsd-security@freebsd.org; Thu, 10 Feb 2022 16:46:27 +0100 (CET) (envelope-from news) To: freebsd-security@freebsd.org From: Christian Weisgerber Newsgroups: list.freebsd.security Subject: Post-quantum crypto now in SSH Date: Thu, 10 Feb 2022 15:46:27 -0000 (UTC) Message-ID: User-Agent: slrn/1.0.3 (FreeBSD) X-Rspamd-Queue-Id: 4Jvh5y5k8xz4T5k X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of news@mips.inka.de has no SPF policy when checking 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c) smtp.mailfrom=news@mips.inka.de X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[news]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_NA(0.00)[inka.de]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FORGED_SENDER(0.30)[naddy@mips.inka.de,news@mips.inka.de]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:202113, ipnet:2a04:c9c7::/32, country:DE]; FROM_NEQ_ENVFROM(0.00)[naddy@mips.inka.de,news@mips.inka.de] X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Ed Maste has MFCed OpenSSH 8.7 to 13-STABLE, so I thought I'd point out a new feature. If you are concerned that adversaries might record SSH sessions and later decrypt them should quantum computers become practical in a number of years, well, you can take action now: KexAlgorithms ^sntrup761x25519-sha512@openssh.com This key exchange algorithm combines sntrup761 and x25519 (aka curve25519). The strength of the combined algorithm is determined by the stronger component. sntrup761 should be able to withstand attacks by quantum computers, but has not been as thoroughly researched. x25519 is a classical algorithm and vulnerable to quantum attack, but it is well established (it's already the default SSH KEX). There is no downside to enabling this KEX, other than a slightly larger overhead when a connection is established. This is measurable but not noticeable on a machine as slow as a PCEngines APU2. For the server, add KexAlgorithms +sntrup761x25519-sha512@openssh.com to /etc/ssh/sshd_config. (This will no longer be necessary starting with OpenSSH 8.9.) For the client, add KexAlgorithms ^sntrup761x25519-sha512@openssh.com to ~/.ssh/config. Note that the code has been in OpenSSH since 8.5, so there are any number of non-FreeBSD machines where this can also be enabled. -- Christian "naddy" Weisgerber naddy@mips.inka.de