“All the post-quantum algorithms implemented by OpenSSH are ‘hybrids’ that combine a post-quantum algorithm with a classical algorithm,” ensuring the hybrid is never weaker than classical alternatives alone.
OpenSSH 10.0 now defaults to post-quantum key exchange. Version 10.1 will start warning users about “store now, decrypt later” attacks. Smart move. Nation states are absolutely hoarding encrypted traffic for future quantum decryption. The 5-20 year timeline for quantum computers means today’s SSH sessions could be readable within a decade.