SSH into L5 (Byzantium)

guru · June 9, 2026, 10:41am

Yesterday I’ve had to update my MacBook to to MacOS 26.5.1 and on SSH from this into the L5 via USB tethering it now said:

$ ssh purism@10.42.0.1
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Linux pureos 6.6.0-1-librem5 #2 SMP PREEMPT 6.6.139pureos1 2026-05-16 18:17:42 UTC aarch64
Last login: Mon Jun  8 11:15:22 2026 from 10.42.0.18
OK
inhibiting suspend ...
purism@pureos:~$

The explanation I’ve got from AI was that future post quantum servers could break into such sessions.

Its recommendation was:

How to Fix or Suppress It

Upgrade the Server (Recommended)
If you manage the server you
are connecting to, upgrade the OS and OpenSSH to version 9.9 or
higher to enable modern key exchange algorithms like
mlkem768x25519-sha256 or sntrup761x25519-sha512
Suppress the Warning on Your Client Machine
If you cannot upgrade
the server (e.g., connecting to services like Bitbucket or Microsoft
Azure DevOps), you can silence the warning on your local computer.
Open your ~/.ssh/config file and add the following lines:

vim ~/.ssh/config

Host *
  IgnoreUnknown WarnWeakCrypto
  WarnWeakCrypto no-pq-kex

irvinewade · June 9, 2026, 12:43pm

Yes, that is the meaning of “store now, decrypt later”.

An attacker could record the entire encrypted SSH session now, storing it until such time in the future when the key exchange algorithm (presumably Diffie-Hellman) can be broken by a Quantum Computer. Then, from the now broken encryption the attacker may be able to extract a plaintext password (although apparently you are not using one) but in any case break the confidentiality of the SSH session.

The whole thing is less of an issue with a local session (as is apparently the case, given the 10/8 IP address). If someone is recording your local network sessions then you may already have a fairly serious security problem. It is much more of an issue for SSH sessions over the public internet.

Since byzantium is basically not the official release now, you should upgrade to crimson. I don’t know what version of the SSH server that will get you but for sure that upgrade is a starting point i.e. see whether the warning goes away once the phone is running crimson.