Skip to content

[Bug] - 2023.12.20260608 Missing PQ Crypto Algorithms #1107

Description

@EvilJordan

According to the release notes:

crypto-policies now supports enabling post-quantum cryptography in LEGACY, DEFAULT, FUTURE, and FIPS cryptographic policies. Apply the PQ sub-policy to enable post-quantum cryptography, for example: sudo update-crypto-policies --set DEFAULT:PQ

More information can be found here: https://docs.aws.amazon.com/linux/al2023/ug/crypto-policies-pq.html
Among the details is this:

After applying the PQ subpolicy, hybrid post-quantum key exchange using the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and post-quantum digital signatures using the Module-Lattice-Based Digital Signature Standard (ML-DSA) will be enabled in the LEGACY, DEFAULT, FUTURE, or FIPS cryptographic policies.

sudo update-crypto-policies --set DEFAULT:PQ does enable the following line in /etc/crypto-policies/back-ends/opensshserver.config:
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-

On my local machine, ssh -Q kex | grep -E 'sntrup|mlkem results in:

sntrup761x25519-sha512
sntrup761x25519-sha512@openssh.com
mlkem768x25519-sha256

On the AL2023.12.* server, running this: sudo sshd -T | tr ',' '\n' | grep -E 'sntrup|mlkem' results in no output (meaning the configuration is correct), but no PQ algorithms are present.

Indeed, ssh-ing into the box from my local results in the usual warning message:

** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

I'm assuming the issue is with openSSH running on the server. It is version OpenSSH_8.7p1. From my understanding, we need to be running v9 or later, but this is not part of the standard AL2023 offering, rendering the release of crypto-policies moot.

Please advise.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions