Discussion summary
OpenSSH 10.4/10.4p1 introduces post-quantum keys like ML-DSA 44 and Ed25519, but they are not enabled by default. Default configurations still include hmac-sha1 and umac-64. The release notes and configuration details are available on the OpenSSH website.
What the discussion says
- Some users question the formatting of release notes and suggest PRs for improvement.
- Discussion about default security algorithms like hmac-sha1 and umac-64.
- Interest in enabling post-quantum keys in SSH and FIDO2 support.
“Post-quantum keys like ML-DSA 44 are added but not enabled by default.”
“The release notes are in RST markup, which some find hard to read.”
Comments
Hacker News
by lousken
* https://man.openbsd.org/ssh_config.5#MACs
* https://man.openbsd.org/sshd_config.5#MACs
ETM, encrypt-than-mac, variants are at the front of the preference list.
by throw0101a
by throw0101a
by saghm
Anyone know if these projects accept PRs to improve these kinds of things, like legibility? Or is it a point of pride?
by atonse
When pq key agreement was added in 2019, it took almost 3 years for it to become enabled by default. This isn't criticism, just an observation. I don't have a pressing need for pq sigs. Always happy for new OpenSSH releases though!
by Panino
by ecesena
The draft was only published a few months ago:
* https://datatracker.ietf.org/doc/draft-miller-sshm-mldsa44-e...
The draft is a 'personal document', so not associated with the IETF/WG.
by throw0101a
Join the discussion
Write your take first — we'll ask for email only when you're ready to publish.
- Hacker News
- Is hmac-sha1 and umac-64 still enabled by default?by lousken
- Yes:
* https://man.openbsd.org/ssh_config.5#MACs
* https://man.openbsd.org/sshd_config.5#MACs
ETM, encrypt-than-mac, variants are at the front of the preference list.
by throw0101a - HTML version of release notes:by throw0101a
- Honestly this just looks like RST markup to me. If you really wanted to format it, I feel like using a previewer for that would basically do the jobby saghm
- Still looks like ascii, doesn’t automatically wrap, nor is it responsive.
Anyone know if these projects accept PRs to improve these kinds of things, like legibility? Or is it a point of pride?
by atonse - Among other changes 10.4 adds post-quantum keys (composite ML-DSA 44 and Ed25519), not enabled by default.
When pq key agreement was added in 2019, it took almost 3 years for it to become enabled by default. This isn't criticism, just an observation. I don't have a pressing need for pq sigs. Always happy for new OpenSSH releases though!
by Panino - I recently added ml-dsa-44 to solokeys, both piv and fido2. To my understanding ssh+fido2 doesn’t support pq yet, but if anybody’s reading and knows how to make it happen, I’d be really interested.by ecesena
- > Among other changes 10.4 adds post-quantum keys (composite ML-DSA 44 and Ed25519), not enabled by default.
The draft was only published a few months ago:
* https://datatracker.ietf.org/doc/draft-miller-sshm-mldsa44-e...
The draft is a 'personal document', so not associated with the IETF/WG.
by throw0101a
Related stories
Canada's only watchmaking school still ticking after 80 years
cbc.ca · 138 points · 66 comments
MacSurf 1.68 – NetSurf on OS 9 Released
github.com · 76 points · 18 comments
Decoding the obfuscated bash script on a Uniqlo t-shirt
tris.sherliker.net · 1072 points · 181 comments
StreetComplete: Fixing OpenStreetMap, one tiny quest at a time
streetcomplete.app · 761 points · 182 comments
Every new car sold in the European Union must include a driver monitoring camera
allaboutcookies.org · 737 points · 969 comments
Chat Control 1.0 and 2.0 Explained
fightchatcontrol.eu · 645 points · 238 comments