[Rebelgecko]

I imagine the key exchange is just once per connection, right? So the overhead seems not too bad.

Especially since I think a pretty large number of computers/hostnames that are ssh'able today will probably have the same root password if they're still connected to the internet 10-20 years from now

[singlow]

So what person is running an SSH server and configuring it to use post-quantum crypto, but is using password Auth? Priorities are out-of-whack.

Not that this is a bad thing, but first start using keys, then start rotating them regularly and then worry about theoretical future attacks.

[djmdjm]

Those are completely disjoint threats.

A captured SSH session should never be able to decrypted by an adversary regardless of whether it uses passwords or keys, or how weak the password is.

[SoftTalker]

root can't normally log in via ssh. Unless the default configuration is changed.

[chasil]

In OpenSSH root cannot login.

In TinySSH, which also implements the ntru exchange, root is always allowed.

I don't know what the behavior is in Dropbear, but the point is that OpenSSH is not the only implementation.

TinySSH would also enable you to quiet the warning on RHEL 7 or other legacy platforms.

[petee]

Fwiw some distros ask if you want root access enabled on install; I assume there's always some chance of it being enabled for install stuff and forgotten, or the user misreading and thinking it means any root access.