If you see this warning when connecting to a server through ssh:
** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html
Then follow michabbb’s guide on how to enable post-quantum key exchange in ssh. Don’t worry, you don’t have to generate new keys. Please please do not disable the warnings, Solution 1 is NOT a solution. Do the right thing.
On your (MacOS) client machine (your local laptop) you need to tell your client to prefer post-quantum algorithms. Edit ~/.ssh/config and make sure your Host entry contains a KexAlgorithms line like this:
Host *
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
On a (MacOS) server you need to tell the sshd deamon to prefer post-quantum algorithms. To help you quickly do this:
sudo tee /etc/ssh/sshd_config.d/post-quantum.conf >/dev/null <<'EOF' # Enable post-quantum key exchange algorithms KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 EOF sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
Then validate that it worked on your next ssh session. If not, check that both machines (client and server) contain these fixes and are up-to-date. Read michabbb’s article for more tips and a better explanation.
Stay safe!