Your message dated Mon, 4 May 2026 11:08:36 +0100
with message-id <[email protected]>
and subject line Re: Bug#1135654: openssh-client: Option WarnWeakCrypto no not
accepted, upgrade to backports
has caused the Debian Bug report #1135654,
regarding openssh-client: Option WarnWeakCrypto no not accepted, upgrade to
backports
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135654
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-client
Version: 1:10.2p1-6~bpo13+1
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
When connecting to my local git repo on a Synology NAS I received the following
warning:
> $ git pull
> ** WARNING: connection is not using a post-quantum key exchange algorithm.
> ** This session may be vulnerable to "store now, decrypt later" attacks.
> ** The server may need to be upgraded. See https://openssh.com/pq.html
There is a way to turn off this (annoying) warning, namely to
put a section in ~/.ssh/config:
> Match host mygitserver
> WarnWeakCrypto no
However, when using openssh 1:10.0p1-7+deb13u2 from Trixie
stable-security, I got the following error, which made git
abort:
> .ssh/config: line 19: Bad configuration option: warnweakcrypto
My other computers did not complain about WarnWeakCrypto, so I
upgraded openssh on my machine to the version in Trixie backports
1:10.2p1-6~bpo13+1 and the problem went away.
Solution
========
Maintainers
-----------
Push an update of openssh to the version in backports.
Users
-----
1) Activate the backports repository in /etc/apt/sources.list.d/debian.sources
2) In /etc/apt/preferences.d place a file backports.pref with the following
content:
Package: openssh-*
Pin: release n=trixie-backports
Pin-Priority: 900
Maintainers, thanks for your work!
-- System Information:
Debian Release: 13.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.74+deb13+1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_GB.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii init-system-helpers 1.69~deb13u1
ii libc6 2.41-12+deb13u2
ii libedit2 3.1-20250104-1
ii libfido2-1 1.15.0-1+b1
ii libgssapi-krb5-2 1.21.3-5
ii libselinux1 3.8.1-1
ii libssl3t64 3.5.5-1~deb13u2
ii systemd [systemd-sysusers] 257.9-1~deb13u1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
Versions of packages openssh-client recommends:
ii xauth 1:1.1.2-1.1
Versions of packages openssh-client suggests:
pn keychain <none>
ii ksshaskpass [ssh-askpass] 4:6.3.4-1
pn libpam-ssh <none>
pn monkeysphere <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Control: tag -1 wontfix
On Mon, May 04, 2026 at 10:44:04AM +0200, Morten Kjeldgaard wrote:
> When connecting to my local git repo on a Synology NAS I received the
> following warning:
>
> > $ git pull
> > ** WARNING: connection is not using a post-quantum key exchange algorithm.
> > ** This session may be vulnerable to "store now, decrypt later" attacks.
> > ** The server may need to be upgraded. See https://openssh.com/pq.html
>
> There is a way to turn off this (annoying) warning, namely to
> put a section in ~/.ssh/config:
>
> > Match host mygitserver
> > WarnWeakCrypto no
>
> However, when using openssh 1:10.0p1-7+deb13u2 from Trixie
> stable-security, I got the following error, which made git
> abort:
>
> > .ssh/config: line 19: Bad configuration option: warnweakcrypto
>
> My other computers did not complain about WarnWeakCrypto, so I
> upgraded openssh on my machine to the version in Trixie backports
> 1:10.2p1-6~bpo13+1 and the problem went away.
>
> Solution
> ========
>
> Maintainers
> -----------
> Push an update of openssh to the version in backports.
No, we're not going to upgrade trixie to OpenSSH >= 10.1, except in
backports (which already has it). You're of course free to choose to
install it from trixie-backports, as you say.
The WarnWeakCrypto option was added in the same version of OpenSSH as
the warning itself, so all you need to do is to not add that option to
~/.ssh/config on machines that don't have OpenSSH >= 10.1.
Thanks,
--
Colin Watson (he/him) [[email protected]]
--- End Message ---
