OpenSSH will start warning users when connections don’t use post‑quantum key exchange

What’s changing

OpenSSH will begin showing a warning in version 10.1 when an SSH connection falls back to a non‑post‑quantum (non‑PQC) key agreement algorithm. The project has been nudging the ecosystem toward quantum‑resistant KexAlgorithms for years: PQ key agreement was offered by default starting in OpenSSH 9.0 (April 2022) via sntrup761x25519‑sha512, and OpenSSH 9.9 added mlkem768x25519‑sha256, which became the default in OpenSSH 10.0 (April 2025). The warning is enabled by default but may be disabled with the WarnWeakCrypto option in ssh_config(5).

Why this matters

A quantum computer is a device that manipulates information in quantum states and could, allegedly, quickly solve particular problems that stump classical machines. It has been reported that estimates for when a “cryptographically‑relevant” quantum computer might arrive range from about 5–20 years, with many observers pointing to the mid‑2030s. The uncomfortable truth: the entire privacy of an SSH session rests on the key agreement. An attacker who can break that math can decrypt whole sessions — not necessarily now, but later. “Store now, decrypt later” is not a scare‑phrase; it’s a playbook.

What admins should do

If you care about long‑term confidentiality — and you should — check your KexAlgorithms and update clients and servers to use the OpenSSH PQ defaults. OpenSSH has supported post‑quantum key agreement since 9.0 and made it the default in 10.0 precisely to blunt “harvest now, decrypt later” risks. Need an escape hatch? Fine: the WarnWeakCrypto toggle exists. But don’t treat it like a shrug.

This is part of a larger trend: software vendors are quietly hardening defaults before quantum becomes a headline. Think of this as buying insurance for a storm that may not hit this afternoon, but could wreck your house in a decade. Are you ready?

Sources: openssh.com, Lobsters