How to use quantum resistant cryptography with OpenSSH on Debian

  • by

With the rise of quantum computers, our current asymmetric (public key cryptography) will become insecure. Shor’s algorithm running on a powerful quantum computer will be able to “crack” our public key cryptography. The time to start using quantum resistant cryptography is now! In this post, we’ll show you how to start using experimental quantum resistant key exchange in OpenSSH on Debian 10. We didn’t test this on other distributions or Debian versions, so you may need to modify our steps.

OpenSSH 8.0 released with an experimental quantum resistant key exchange method called sntrup4591761x25519-sha512@tinyssh.org (weird name). More information on NTRU primes can be found here. Before you ask, no, you don’t need a quantum computer to deploy quantum resistant cryptography. It’s a common misconception, so don’t worry. 🙂

The Steps!

Now to get the ball rolling we’ll need to make sure you have apt-transport-https installed. Run this command (sudo before it if necessary).

apt install apt-transport-https

You’ll now need to run these commands separately to have apt prefer stable packages, but allow openssh to be installed from the testing repository. This will allow you to get the latest version of openssh-server and openssh-client.

cat <<EOF > /etc/apt/preferences.d/stable.pref
Package: *
Pin: release a=stable
Pin-Priority: 800
EOF


cat <<EOF > /etc/apt/preferences.d/openssh.pref
Package: openssh-client openssh-server openssh-sftp-server runit-helper
Pin: release a=testing
Pin-Priority: 900
EOF


Put in the testing repository with this command (if you don’t already have it enabled).

cat <<EOF > /etc/apt/sources.list.d/testing.list
deb https://deb.debian.org/debian/ testing main contrib non-free
deb-src https://deb.debian.org/debian/ testing main contrib non-free
EOF


Perfect, you now can run;

apt update; apt upgrade openssh-server

Now you should have OpenSSH 8.0+!

Your OpenSSH client will also need to be running OpenSSH 8.0+ for this to work. You’ll need to do the same steps on your workstation if you’re running Debian 10, but run this command instead.

apt update; apt upgrade openssh-client

The Configuration!

Onto the configuration. You can modify your /etc/ssh/sshd_config on your server to match ours or simply modify the KexAlgorithms line to match this. You will also need to add this line to your SSH client config in /etc/ssh/ssh_config on your local computer.

KexAlgorithms sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Now once you’ve done all that, restart sshd on your server! You can verify that it’s using the new KEX by adding the -v flag to your SSH command when you SSH into your server again. You’ll want to look for the line that says debug1: kex: algorithm.

We’re here to assist you

Need help with all of this? Reach out on Twitter or send us an email!

support [@] ulayer.net

Leave a Reply

Your email address will not be published. Required fields are marked *