Gerrit's SSH server is not using a post-quantum key exchange algorithm
60 views
Skip to first unread message
Oliver Smith
Nov 12, 2025, 9:09:06 AM (6 days ago) Nov 12
to repo-d...@googlegroups.com
Hello,
when connecting with OpenSSH_10.2p1 (as in Alpine Linux edge, Arch
Linux, etc.) to a self-hosted Gerrit 3.11.7 instance, then the following
warning gets printed:
> ** WARNING: connection is not using a post-quantum key exchange
algorithm.
> ** This session may be vulnerable to "store now, decrypt later" attacks.
> ** The server may need to be upgraded. See https://openssh.com/pq.html
Gerrit 3.11.7 uses Apache MINA sshd 2.14.0, which already supports the
post-quantum key exchange algorithm sntrup761x25519-sha512. However it
doesn't seem possible to enable it via gerrit.config. I have tried:
[sshd]
kex = +sntrup761x25519-sha512
The Gerrit documentation for gerrit.config doesn't list this algorithm
either (even on current master).
Reproducer:
$ podman run --rm -it alpine:edge sh
/ # apk add openssh-client
/ # ssh -p 29418 self-hosted-gerrit
Is there another way to configure this, or can this be fixed upstream?
Thanks!
PS: I would have reported this in the bug tracker, but got:
"You do not have permission to create issues in this component."
Best regards,
Oliver
--
- Oliver Smith <osm...@sysmocom.de> https://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Siemensstr. 26a
* 10551 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschaeftsfuehrer / Managing Director: Harald Welte
when connecting with OpenSSH_10.2p1 (as in Alpine Linux edge, Arch
Linux, etc.) to a self-hosted Gerrit 3.11.7 instance, then the following
warning gets printed:
> ** WARNING: connection is not using a post-quantum key exchange
algorithm.
> ** This session may be vulnerable to "store now, decrypt later" attacks.
> ** The server may need to be upgraded. See https://openssh.com/pq.html
Gerrit 3.11.7 uses Apache MINA sshd 2.14.0, which already supports the
post-quantum key exchange algorithm sntrup761x25519-sha512. However it
doesn't seem possible to enable it via gerrit.config. I have tried:
[sshd]
kex = +sntrup761x25519-sha512
The Gerrit documentation for gerrit.config doesn't list this algorithm
either (even on current master).
Reproducer:
$ podman run --rm -it alpine:edge sh
/ # apk add openssh-client
/ # ssh -p 29418 self-hosted-gerrit
Is there another way to configure this, or can this be fixed upstream?
Thanks!
PS: I would have reported this in the bug tracker, but got:
"You do not have permission to create issues in this component."
Best regards,
Oliver
--
- Oliver Smith <osm...@sysmocom.de> https://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Siemensstr. 26a
* 10551 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschaeftsfuehrer / Managing Director: Harald Welte
Daniele Sassoli
Nov 12, 2025, 11:21:22 AM (6 days ago) Nov 12
to Repo and Gerrit Discussion
Hi Oliver
On Wednesday, 12 November 2025 at 14:09:06 UTC Oliver wrote:
Hello,
when connecting with OpenSSH_10.2p1 (as in Alpine Linux edge, Arch
Linux, etc.) to a self-hosted Gerrit 3.11.7 instance, then the following
warning gets printed:
> ** WARNING: connection is not using a post-quantum key exchange
algorithm.
> ** This session may be vulnerable to "store now, decrypt later" attacks.
> ** The server may need to be upgraded. See https://openssh.com/pq.html
Interesting, I don't remember seeing this in the past, weird nobody has reported it yet.
Gerrit 3.11.7 uses Apache MINA sshd 2.14.0, which already supports the
post-quantum key exchange algorithm sntrup761x25519-sha512. However it
doesn't seem possible to enable it via gerrit.config. I have tried:
[sshd]
kex = +sntrup761x25519-sha512
The Gerrit documentation for gerrit.config doesn't list this algorithm
either (even on current master).
Reproducer:
$ podman run --rm -it alpine:edge sh
/ # apk add openssh-client
/ # ssh -p 29418 self-hosted-gerrit
Is there another way to configure this, or can this be fixed upstream?
Thanks!
PS: I would have reported this in the bug tracker, but got:
"You do not have permission to create issues in this component."
This is definetly not clear enough, but in order to reduce spamming on the issue
tracker, only people that can post to this mailig list are also allowed to raise
issues. I believe this is your first post here,as I personally approved your
account not long ago, as you don't look like a spammer, ahah. You should now
have permissions to raise issues on the issue tracker too, please let us know if
not.
tracker, only people that can post to this mailig list are also allowed to raise
issues. I believe this is your first post here,as I personally approved your
account not long ago, as you don't look like a spammer, ahah. You should now
have permissions to raise issues on the issue tracker too, please let us know if
not.
Oliver
Nov 13, 2025, 3:38:19 AM (5 days ago) Nov 13
to Repo and Gerrit Discussion
Hi Daniele,
On Wednesday, November 12, 2025 at 5:21:22 PM UTC+1 Daniele Sassoli wrote:
This is definetly not clear enough, but in order to reduce spamming on the issue
tracker, only people that can post to this mailig list are also allowed to raise
issues. I believe this is your first post here,as I personally approved your
account not long ago, as you don't look like a spammer, ahah. You should now
have permissions to raise issues on the issue tracker too, please let us know if
not.
Best regards,
Oliver
Reply all
Reply to author
Forward
0 new messages