Thanks Damien! Looks like quantum kex algo was the reason. After changing to the traditional kex, ssh connections were fast enough. On Mon, Jul 29, 2024 at 5:28 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > > On Sun, 28 Jul 2024, Darren Tucker wrote: > > > OpenSSH 9.0 introduced a quantum resistant hybrid kex method as the > > highest priority method. Quoting > > https://www.openssh.com/releasenotes.html#9.0: > > > > * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key > > exchange method by default ("sntrup761x25519-sha512@xxxxxxxxxxx"). > > The NTRU algorithm is believed to resist attacks enabled by future > > quantum computers and is paired with the X25519 ECDH key exchange > > (the previous default) as a backstop against any weaknesses in > > NTRU Prime that may be discovered in the future. The combination > > ensures that the hybrid exchange offers at least as good security > > as the status quo. > > > > This is more expensive than the previous defaults. You can disable > > this if necessary on either the server or client configs, see > > KexAlgorithms in ssh_config(5) and sshd_config(5). > > We should look at using an optimised version of NTRUPrime, at the moment > we're just using a generic version that isn't very fast. There's probably > a 3-5x saving to be made... > > -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
