Comment by Rebelgecko
1 day ago
I imagine the key exchange is just once per connection, right? So the overhead seems not too bad.
Especially since I think a pretty large number of computers/hostnames that are ssh'able today will probably have the same root password if they're still connected to the internet 10-20 years from now
So what person is running an SSH server and configuring it to use post-quantum crypto, but is using password Auth? Priorities are out-of-whack.
Not that this is a bad thing, but first start using keys, then start rotating them regularly and then worry about theoretical future attacks.
Those are completely disjoint threats.
A captured SSH session should never be able to decrypted by an adversary regardless of whether it uses passwords or keys, or how weak the password is.
root can't normally log in via ssh. Unless the default configuration is changed.
In OpenSSH root cannot login.
In TinySSH, which also implements the ntru exchange, root is always allowed.
I don't know what the behavior is in Dropbear, but the point is that OpenSSH is not the only implementation.
TinySSH would also enable you to quiet the warning on RHEL 7 or other legacy platforms.
Fwiw some distros ask if you want root access enabled on install; I assume there's always some chance of it being enabled for install stuff and forgotten, or the user misreading and thinking it means any root access.