Not sure if this is just coincidence or somehow related to me having just swapped in a larger external USB drive for my Diet-Pi (Pi4 B) based Plex server setup… but I’m getting this note when I try to SSH in from my Mac:
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to “store now, decrypt later” attacks.
** The server may need to be upgraded. See ``https://openssh.com/pq.html
I can proceed with my password despite the warning, and all is fine. My server and Pi and Plex operate fine. That said, I should give this note some attention.
So, can someone enlighten me how specifically my server might need to be upgraded? According to what I can, my DietPi install is already up to date.
The openssh.com link from the note gives me this:
I received a warning from ssh that directed me to this page. What should I do?
As mentioned above, OpenSSH 10.1 started warning users when connections use cryptography that is not safe against quantum computers. If you received such a warning, it means that the server you connected to did not offer one of the two post-quantum key agreement algorithms that are being standardised for the SSH protocol:mlkem768x25519-sha256 and sntrup761x25519-sha512
The ideal solution is to update the server to use an SSH implementation that supports at least one of these. OpenSSH versions 9.0 and greater support sntrup761x25519-sha512and versions 9.9 and greater support mlkem768x25519-sha256. If your server is already running one of these versions, then check whether the KexAlgorithms option has disabled their use.
If you are unable to update the server and/or you prefer to accept the risk of continuing to use quantum-unsafe cryptography then the warning may be silenced via the WarnWeakCrypto option in ssh_config(5). We recommend doing this selectively, for example:
Match host unsafe.example.com
WarnWeakCrypto no
That explains a bit but I still need some guidance on whether I really need to do upgrade something, set this to ignore… or if this is something new that will be handled in due time by a DietPi update.
Any insight would be helpful. Thanks 