Advancing post-quantum capabilities of SSH in Red Hat Enterprise Linux

The post-quantum cryptography (PQC) transition is well underway in Red Hat Enterprise Linux (RHEL). In May 2025, RHEL 10 delivered post-quantum key exchange algorithms in three major cryptography libraries (OpenSSL, GnuTLS, and NSS), making post-quantum key exchange usable in TLS 1.3 connections. RHEL 10.1 followed, setting the new key exchange algorithms as default in TLS, and introducing post-quantum signatures for RPM packages.

The secure shell (SSH) protocol was not left behind. RHEL 10 shipped with OpenSSH 9.9, supporting two hybrid post-quantum key exchange methods: sntrup761x25519-sha512 combines classical X25519 key exchange with the lattice-based streamlined NTRU prime algorithm (SNTRUP), and mlkem768x25519-sha256 combines X25519 with the module-lattice-based key-encapsulation mechanism (ML-KEM) standardized by the US National Institute of Standards and Technology (NIST). Beginning with RHEL 10.1, the latter is preferred by OpenSSH when establishing connections unless configured otherwise.

What's new for SSH in RHEL 10.2

Further PQC features of SSH were integrated into RHEL 10.2.

Post-quantum SSH key exchange in FIPS mode

The RFC draft for mlkem768x25519-sha256 is currently being finalized by the Internet Engineering Task Force (IETF) Secure Shell Maintenance (SSHM) working group, and the algorithm is getting increasingly adopted by various SSH implementations. However, the draft also specifies two other hybrid key exchange algorithms: mlkem768nistp256-sha256 and mlkem1024nistp384-sha384. These combine ML-KEM variants with elliptic-curve Diffie-Hellman (ECDH) key exchange over NIST-recommended curves (P-256 and P-384) instead of Curve25519.

Because ML-KEM and ECDH over P-256/P-384 are all FIPS-approved, we're making mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 available as the only two post-quantum FIPS-compatible SSH key exchange algorithms in Red Hat Enterprise Linux 10.2. Although upstream OpenSSH maintainers decided not to implement these two additional hybrids, Red Hat customers can start using post-quantum cryptography in SSH in FIPS mode thanks to downstream patches of OpenSSH provided by Red Hat developers.

Post-quantum key exchange support in libssh

These hybrid key exchange constructions are also finally arriving into libssh 0.12.0 (the SSH C library). Aligning with OpenSSH behavior, SSH clients and servers built against libssh now prefer the mlkem768x25519-sha256 key exchange algorithm by default in RHEL 10.2. This means that customers running custom libssh-based servers can protect themselves from "harvest now, decrypt later" attacks by simply upgrading.

What's possible for SSH in the future

More PQC features are still undergoing the standardization process, and Red Hat is part of it.

Pure ML-KEM key exchange and post-quantum SSH keys

We're watching ongoing efforts to standardize the use of pure (non-hybrid) ML-KEM key exchange in SSH. The current draft is not yet adopted by the IETF SSHM working group as there is no consensus about whether it is appropriate (with opponents arguing that ML-KEM is not mature enough).

The usage of ML-DSA (a NIST-standardized post-quantum signature algorithm family) within SSH is also being discussed, with multiple competing RFC drafts: draft-rpe-ssh-mldsa and draft-sfluhrer-ssh-mldsa both seek to standardize pure ML-DSA usage for SSH public keys, whereas draft-sun-ssh-composite-sigs and draft-josefsson-ssh-ed25519mldsa65 seek to standardize composite ML-DSA signatures (combined with, for example, classical EdDSA signatures). Implementing any of these would allow SSH clients and hosts to authenticate with post-quantum public keys, securing them against man-in-the-middle attacks using quantum computers.

GSSAPI key exchange with post-quantum cryptography

Finally, we’re working on standardizing GSSAPI key exchange with hybrid PQC methods (namely the three hybrid ML-KEM methods) and implementing it in OpenSSH and libssh. The RFC draft proposed by Red Hat builds on top of RFC 4462 and RFC 8732, and adopting it will make Kerberos authentication in SSH quantum-safe.

Conclusion

With the release of RHEL 10.2, post-quantum SSH key exchange is enabled by default, whether you're operating in FIPS mode or using custom SSH applications based on libssh.  We invite you to upgrade your systems to the latest RHEL 10 version to help mitigate "harvest now, decrypt later" threats.

Looking forward, Red Hat engineers remain active in the IETF and upstream communities to help define the next phase of quantum-safe SSH, including post-quantum host key support and post-quantum GSSAPI (Kerberos) authentication. As the new SSH standards mature and reach consensus, we will continue to implement and support them in future RHEL releases.