With the rise of quantum computers, our current asymmetric (public key cryptography) will become insecure. Shor’s algorithm running on a powerful quantum computer will be able to “crack” our public key cryptography. The time to start using quantum resistant cryptography is now! In this post, we’ll show you how to start using experimental quantum resistant key exchange in OpenSSH on Debian 10. We didn’t test this on other distributions or Debian versions, so you may need to modify our steps.
OpenSSH 8.0 released with an experimental quantum resistant key exchange method called
[email protected] (weird name). More information on NTRU primes can be found here. Before you ask, no, you don’t need a quantum computer to deploy quantum resistant cryptography. It’s a common misconception, so don’t worry. 🙂
Now to get the ball rolling we’ll need to make sure you have
apt-transport-https installed. Run this command (sudo before it if necessary).
apt install apt-transport-https
You’ll now need to run these commands separately to have
apt prefer stable packages, but allow openssh to be installed from the testing repository. This will allow you to get the latest version of openssh-server and openssh-client.
cat <<EOF > /etc/apt/preferences.d/stable.pref
Pin: release a=stable
cat <<EOF > /etc/apt/preferences.d/openssh.pref
Package: openssh-client openssh-server openssh-sftp-server runit-helper
Pin: release a=testing
Put in the testing repository with this command (if you don’t already have it enabled).
cat <<EOF > /etc/apt/sources.list.d/testing.list
deb https://deb.debian.org/debian/ testing main contrib non-free
deb-src https://deb.debian.org/debian/ testing main contrib non-free
Perfect, you now can run;
apt update; apt upgrade openssh-server
Now you should have OpenSSH 8.0+!
Your OpenSSH client will also need to be running OpenSSH 8.0+ for this to work. You’ll need to do the same steps on your workstation if you’re running Debian 10, but run this command instead.
apt update; apt upgrade openssh-client
Onto the configuration. You can modify your
/etc/ssh/sshd_config on your server to match ours or simply modify the
KexAlgorithms line to match this. You will also need to add this line to your SSH client config in
/etc/ssh/ssh_config on your local computer.
KexAlgorithms [email protected],[email protected],diffie-hellman-group-exchange-sha256
Now once you’ve done all that, restart
sshd on your server! You can verify that it’s using the new KEX by adding the
-v flag to your SSH command when you SSH into your server again. You’ll want to look for the line that says
debug1: kex: algorithm.
We’re here to assist you
Need help with all of this? Reach out on Twitter or send us an email!
support [@] ulayer.net