According to the release notes:
crypto-policies now supports enabling post-quantum cryptography in LEGACY, DEFAULT, FUTURE, and FIPS cryptographic policies. Apply the PQ sub-policy to enable post-quantum cryptography, for example: sudo update-crypto-policies --set DEFAULT:PQ
More information can be found here: https://docs.aws.amazon.com/linux/al2023/ug/crypto-policies-pq.html
Among the details is this:
After applying the PQ subpolicy, hybrid post-quantum key exchange using the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and post-quantum digital signatures using the Module-Lattice-Based Digital Signature Standard (ML-DSA) will be enabled in the LEGACY, DEFAULT, FUTURE, or FIPS cryptographic policies.
sudo update-crypto-policies --set DEFAULT:PQ does enable the following line in /etc/crypto-policies/back-ends/opensshserver.config:
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
On my local machine, ssh -Q kex | grep -E 'sntrup|mlkem results in:
sntrup761x25519-sha512
sntrup761x25519-sha512@openssh.com
mlkem768x25519-sha256
On the AL2023.12.* server, running this: sudo sshd -T | tr ',' '\n' | grep -E 'sntrup|mlkem' results in no output (meaning the configuration is correct), but no PQ algorithms are present.
Indeed, ssh-ing into the box from my local results in the usual warning message:
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
I'm assuming the issue is with openSSH running on the server. It is version OpenSSH_8.7p1. From my understanding, we need to be running v9 or later, but this is not part of the standard AL2023 offering, rendering the release of crypto-policies moot.
Please advise.
According to the release notes:
More information can be found here: https://docs.aws.amazon.com/linux/al2023/ug/crypto-policies-pq.html
Among the details is this:
sudo update-crypto-policies --set DEFAULT:PQdoes enable the following line in/etc/crypto-policies/back-ends/opensshserver.config:GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-On my local machine,
ssh -Q kex | grep -E 'sntrup|mlkemresults in:On the AL2023.12.* server, running this:
sudo sshd -T | tr ',' '\n' | grep -E 'sntrup|mlkem'results in no output (meaning the configuration is correct), but no PQ algorithms are present.Indeed,
ssh-ing into the box from my local results in the usual warning message:I'm assuming the issue is with openSSH running on the server. It is version
OpenSSH_8.7p1. From my understanding, we need to be running v9 or later, but this is not part of the standard AL2023 offering, rendering the release ofcrypto-policiesmoot.Please advise.