OpenSSH has offered post-quantum key agreement (KexAlgorithms) by default since release 9.0 (2022), initially via the sntrup761x25519-sha512 algorithm. More recently, in OpenSSH 9.9, we have added a second post-quantum key agreement mlkem768x25519-sha256 and it was made the default scheme in OpenSSH 10.0.

To encourage migration to these stronger algorithms, OpenSSH 10.1 will warn the user when a non post-quantum key agreement scheme is selected. These warnings are displayed by default but may be disabled via the WarnWeakCrypto option in ssh_config(5).