On Sat, Oct 25, 2025 at 12:15 AM Clark Boylan <cboylan@sapwetik.org> wrote:
On Fri, Oct 24, 2025, at 1:59 PM, Maksim Malchuk wrote:
Hi Jean-Philippe,
Very interesting topic. OpenStack and their code/libraries are well covered in this wiki post, but how about the infrastructure (for example SSH servers, installed via OS packages on the Cloud hosts)?
OpenSSH 10 will use mlkem768x25519-sha256 for key agreement by default. Earlier versions of OpenSSH have some support for these algorithms, but looks like version 10 is where you should start to see them used by default.
OpenSSH 10 is a great solution, but the question is how to deal with current OSes? For example Ubuntu 24.04 (current LTS) still uses OpenSSH 9.6, but MLKEM support was added only in the OpenSSH 9.9. Should we use backports? or wait for 25.04 support in deployment tools and do an upgrade?
What about OpenStack development (for example SSH server behind the Gerrit Code Review system)?
Gerrit uses the MINA SSHD which added support for ml-kem in version 2.15.0 via bouncy castle. Gerrit 3.12 includes MINA SSHD 2.15.0.
-- Regards, Maksim Malchuk