フմ尺Ǥ乇刀 キЦ乃
Sophie SchmiegIn case you were thinking that stuff is up to date: only 4.4% of OpenSSH servers are on 10.0 or later, a version that came out over a year ago.
Deirdre Connolly¹
Oliver D. Reithmaier@sophieschmieg apparently most email servers don't have SPF/DMARC implemented, so I'm not too surprised about that one.
Ingo Wichmann@sophieschmieg does 10.0p1-7+deb13u4 count as greater than or equal to 10.0 ?
@ingo_wichmann I don't know, does it use ML-KEM by default for the kex?
Clemens@sophieschmieg technically 9.9 with configuration can also do mlkem, but that's probably a miniscule number.
@sophieschmieg On topic: https://www.redhat.com/en/blog/advancing-post-quantum-capabilities-ssh-red-hat-enterprise-linux
Also available in RHEL 9.8, with non-default config `update-crypto-policies --set DEFAULT:PQ`.
Advancing post-quantum capabilities of SSH in Red Hat Enterprise Linux
Learn about the new post-quantum SSH key exchange features in Red Hat Enterprise Linux 10.2, including the availability of FIPS-compatible algorithms and the integration of libssh 0.12.0. Upgrade to the latest Red Hat Enterprise Linux 10 version to secure your systems against 'harvest now, decrypt later' threats.
Simon Josefsson@sophieschmieg PQ crypto has been in OpenSSH since 7.9 (2019) and sntrup761x25519 was made the default in 9.0 (2022) and is still supported.