Page MenuHomePhabricator
Create Task
Maniphest T407557

OpenSSH 10.1+ warns that Wikimedia SSH does not use post-quantum key exchange algorithm
Open, LowPublic
Actions

Description

I get this warning when I push to Wikimedia Gitlab with OpenSSH 10.2p1:

$ ssh gitlab
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
PTY allocation request failed on channel 0
Welcome to GitLab, @lucaswerkmeister!
Connection to gitlab.wikimedia.org closed.

The algorithms supported by my client are:

debug2: KEX algorithms: mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-grou
p18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com

And the algorithms supported by the server are apparently:

$ nmap --script ssh2-enum-algos -sV -p 22 gitlab.wikimedia.org
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-16 21:41 +0200
Nmap scan report for gitlab.wikimedia.org (208.80.154.145)
Host is up (0.12s latency).
Other addresses for gitlab.wikimedia.org (not scanned): 2620:0:861:2:208:80:154:145

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms: (3)
|       curve25519-sha256@libssh.org
|       diffie-hellman-group-exchange-sha256
|       kex-strict-s-v00@openssh.com
|   server_host_key_algorithms: (4)
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|       rsa-sha2-512
|       rsa-sha2-256
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes256-gcm@openssh.com
|       aes128-gcm@openssh.com
|       aes256-ctr
|       aes192-ctr
|       aes128-ctr
|   mac_algorithms: (6)
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-512
|       hmac-sha2-256
|       umac-128@openssh.com
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

According to https://www.openssh.com/pq.html, “OpenSSH has offered post-quantum key agreement (KexAlgorithms) by default since release 9.0 (April 2022)”, and nmap reports remote version 9.2; are we disabling post-quantum kex algorithms explicitly? (Or maybe it’s Debian?)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedNoneT393239 ProbeDown
 OpenNoneT407557 OpenSSH 10.1+ warns that Wikimedia SSH does not use post-quantum key exchange algorithm
 OpenNoneT407844 Gerrit ssh daemon does not offer post-quantum kex leading to a warning with OpenSSH 10
 OpenNoneT379714 Upgrade to Gerrit 3.11
 OpenNoneT392465 Switch Gerrit from Java 17 to Java 21
 OpenNoneT392464 Upgrade Gerrit hosts from Bullseye to Bookworm
 ResolvedABran-WMFT387833 Gerrit switchover process
 OpenNoneT388507 Investigate missing commit from old changes
 ResolvedABran-WMFT260666 Create a cookbook to automate gerrit's switchover
 ResolvedABran-WMFT393050 ProbeDown
 ResolvedMatthewVernonT392186 Grant Gerrit admin to arnaudb
 ResolvedLSobanskiT393034 Investigate out of date refs following gerrit switchover
 ResolvedABran-WMFT395440 Gerrit read-only plugin test
 OpenABran-WMFT406334 Gerrit switchover between secondary instances
 ResolvedLSobanskiT406482 SystemdUnitFailed (jenkins.service on contint1002)
 ResolvedhasharT406762 gerrit2003 is trying to backup incrementally 3.5 million files every hour, clogging backus and filling in available disk space
 ResolvedABran-WMFT411583 Gerrit backups are growing
 ResolvedhasharT406856 Reduce size of analytics/superset/deploy.git Gerrit repo
Restricted Task
 ResolvedABran-WMFT412779 Gerrit failover process
 OpenABran-WMFT417246 Reimage gerrit1003
 ResolveddancyT417767 scap error on Gerrit first setup
 ResolvedABran-WMFT417777 SystemdUnitFailed - apache2.service on gerrit1003:9100
 OpenABran-WMFT417247 Reimage gerrit2002
 OpenNoneT417279 Harmonize DNS on all gerrit instances
 ResolvedABran-WMFT417565 GerritHAProxyBackendUnavailable
 ResolvedABran-WMFT417566 GerritHAProxyServiceUnavailable
 ResolvedDzahnT372804 setup gerrit2003 with gerrit service (gerrit on bookworm)
 In ProgressABran-WMFT338470 Rename gerrit2 unix user to gerrit and assign a fixed uid
 ResolvedDzahnT379213 PuppetFailure - gerrit2003
 OpenNoneT417642 Rename gerrit2 Gerrit user to gerrit in the administrator group
 OpenNoneT333143 Move Gerrit data out of root partition
 ResolvedMarosteguiT388785 SSH on gerrit2003 is CRITICAL: CRITICAL
 ResolvedDzahnT374899 PuppetFailure - gerrit2003
 OpenNoneT257317 scap deploy --init on deployment server fails on first puppet run
Restricted Task
 ResolvedDzahnT402847 ProbeDown - gerrit1003
 ResolvedABran-WMFT403347 ProbeDown
 ResolvedABran-WMFT403963 ProbeDown - http_gerrit_tls_ip4 gerrit2003
 ResolvedABran-WMFT404070 ProbeDown - http_gerrit_tls_ip4 gerrit2003.
 OpenNoneT408416 GitLab ssh daemon does not offer post-quantum kex leading to a warning with OpenSSH 10

Event Timeline

LucasWerkmeister created this task.Oct 16 2025, 7:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2025, 7:45 PM
LucasWerkmeister added a comment.Oct 16 2025, 7:53 PM
me@host operations-puppet $ git grep curve25519-sha256@libssh.org
modules/gitlab/manifests/ssh.pp:    Array[String]              $kex_algorithms       = ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256'],
modules/ssh/templates/sshd_config.erb:KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

So potentially this affects not just GitLab but also production SSH…

Lucas_Werkmeister_WMDE subscribed.Oct 17 2025, 9:07 AM
In T407557#11282964, @LucasWerkmeister wrote:

So potentially this affects not just GitLab but also production SSH…

Sure does:

$ ssh deployment.eqiad.wmnet
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Linux deploy2002 5.10.0-36-amd64 #1 SMP Debian 5.10.244-1 (2025-09-29) x86_64
Debian GNU/Linux 11 (bullseye)
deploy2002 is a Deployment server for all Wikimedia services (deployment_server::kubernetes)

So I guess let’s repurpose this task a bit. Not sure what the right tag for production SSH config is, I’ll just make a guess…

Lucas_Werkmeister_WMDE renamed this task from Wikimedia GitLab SSH does not use post-quantum key exchange algorithm to OpenSSH 10.1+ warns that Wikimedia SSH does not use post-quantum key exchange algorithm.Oct 17 2025, 9:08 AM
Lucas_Werkmeister_WMDE added a project: SRE.
Lucas_Werkmeister_WMDE added subscribers: jhathaway, MoritzMuehlenhoff.Oct 17 2025, 9:10 AM
In T407557#11282964, @LucasWerkmeister wrote:
me@host operations-puppet $ git grep curve25519-sha256@libssh.org
modules/gitlab/manifests/ssh.pp:    Array[String]              $kex_algorithms       = ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256'],
modules/ssh/templates/sshd_config.erb:KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Though this was apparently based on an older puppet checkout I had – the second line was in fact removed by @jhathaway (CR by @MoritzMuehlenhoff) last week. I don’t know why I’m still seeing the warning for production SSH then o_O

cmooney triaged this task as Low priority.EditedOct 17 2025, 9:13 AM
cmooney added subscribers: MMuhlenhoff, cmooney.

Thanks Lucas_Werkmeister_WMDE. I'm not really sure this is a massive issue right now. It's not clear to me that ssh sessions logs from now will be hugely useful to an attacker many years in the future.

Medium-term we probably should move to quantum-secure ciphers but I'm not sure we need to be terribly concerned at the moment. @MMuhlenhoff is out for the next week but he may indeed be able to offer more insight.

Ladsgroup edited subscribers, added: Ladsgroup; removed: MMuhlenhoff.Oct 17 2025, 10:10 AM

(Wrong Mortiz)

Ladsgroup edited projects, added collaboration-services; removed SRE.Oct 17 2025, 10:25 AM

Assuming gitlab ssh config needs changing, this needs attention of collaboration-services team. Production seems to be handled already.

Lucas_Werkmeister_WMDE added a comment.Oct 17 2025, 10:29 AM
In T407557#11284684, @Ladsgroup wrote:

Production seems to be handled already.

No it isn’t, as shown in T407557#11284514. (Though I don’t understand why the warning is still shown.)

LSobanski added a project: Infrastructure-Foundations.Oct 17 2025, 11:21 AM
LSobanski subscribed.
Lucas_Werkmeister_WMDE added a project: Gerrit.Oct 17 2025, 2:46 PM

Also affects Gerrit:

$ git fetch
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
jhathaway added a comment.Oct 17 2025, 4:21 PM

deploy2002 is running bullseye, which has ssh 1:8.4p1-5+deb11u5, so it does not have any of the post quantum algorithms that were first added in 9.0.

gerrit1003 is also bullseye, but the issue is gerrit itself, rather than the openssh-server. I think gerrit uses, https://github.com/apache/mina-sshd, I'm not sure whether it supports any of the post quantum algorithms yet.

Lucas_Werkmeister_WMDE added a comment.Oct 17 2025, 4:42 PM
In T407557#11285825, @jhathaway wrote:

gerrit1003 is also bullseye, but the issue is gerrit itself, rather than the openssh-server. I think gerrit uses, https://github.com/apache/mina-sshd, I'm not sure whether it supports any of the post quantum algorithms yet.

According to #803 it gained support for mlkem768x25519-sha256 at some point, though I think that might not have made it into a proper release yet (only the upcoming 3.0.0-M2 if I’m not mistaken). Somewhat earlier, #498 added and #528 fixed sntrup761x25519-sha512; this was seemingly first released in sshd-2.13.2.

Paladox subscribed.Oct 17 2025, 5:36 PM
In T407557#11285825, @jhathaway wrote:

deploy2002 is running bullseye, which has ssh 1:8.4p1-5+deb11u5, so it does not have any of the post quantum algorithms that were first added in 9.0.

gerrit1003 is also bullseye, but the issue is gerrit itself, rather than the openssh-server. I think gerrit uses, https://github.com/apache/mina-sshd, I'm not sure whether it supports any of the post quantum algorithms yet.

https://github.com/apache/mina-sshd/commit/4f2ccf885292adde1d3a0d5f9abd9fb513b07688 I think added support for post quantum algorithms I think? Which gerrit 3.11 uses (uses version 2.14 which has that commit).

jhathaway added a comment.Oct 17 2025, 8:16 PM
debug1: Remote protocol version 2.0, remote software version GerritCodeReview_3.10.6 (APACHE-SSHD-2.12.0)
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com

our version does not offer support for, sntrup761x25519-sha512, or mlkem768x25519-sha256

Jelto subscribed.Oct 20 2025, 3:40 PM
LSobanski added a project: Release-Engineering-Team.Oct 21 2025, 8:33 AM
LSobanski added a subscriber: hashar.

Summarizing what was said above, there are two parts to this request:

  • Host-deployed OpenSSH version, which should be resolved with the upgrade to Bookworm and above
  • Gerrit mina-ssh version, which should be resolved with the upgrade of Gerrit to 3.11 (we're at 3.10 now) - FYI @hashar
Jelto added a comment.Oct 21 2025, 8:53 AM
In T407557#11284684, @Ladsgroup wrote:

Assuming gitlab ssh config needs changing, this needs attention of collaboration-services team. Production seems to be handled already.

Thank you for tagging collaboration-services ! Regarding GitLab, we have a dedicated Puppet module which installs a second sshd interdependent from the GitLab omnibus package. So we should be able to add other algorithms pretty easily, the hosts are also on bookworm already.

It's not fully clear to me which of the additional algorithm should be supported. But I can add it to GitLab as soon as we agreed on a algorithm.

hashar removed a project: Gerrit.Oct 21 2025, 9:34 AM

For Gerrit, it requires a change to an upstream library (Apache MINA SSHD). I have filed the sub task T407844 for it. Meanwhile the warning can be disabled using:

~/.ssh/config
Host gerrit.wikimedia.org
    WarnWeakCrypto=no-pq-kex
Lucas_Werkmeister_WMDE mentioned this in T407844: Gerrit ssh daemon does not offer post-quantum kex leading to a warning with OpenSSH 10.Oct 21 2025, 10:03 AM
Lucas_Werkmeister_WMDE added a comment.Oct 23 2025, 12:17 PM

Gonna quickly note here that Wikimedia Cloud VPS is apparently not affected (at least when SSHing to a Bookworm VM – supports sntrup761x25519-sha512), and neither is Toolforge (Trixie bastion additionally supports mlkem768x25519-sha256).

LSobanski removed a project: collaboration-services.Oct 27 2025, 3:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits