From 7ffe208af9cf4a800170fee8fe85835161ebb120 Mon Sep 17 00:00:00 2001
From: Chandler Swift <chandler+pearson@chandlerswift.com>
Date: Wed, 11 Feb 2026 09:29:19 -0600
Subject: [PATCH] sam: Squelch post-quantum warn on Azure Devops SSH

Connecting to ADO gives this warning:

    ** WARNING: connection is not using a post-quantum key exchange algorithm.
    ** This session may be vulnerable to "store now, decrypt later" attacks.
    ** The server may need to be upgraded. See https://openssh.com/pq.html

ADO doesn't support any flavor of keys besides RSA. There are several
issues open about this on their feedback site, and it's been radio
silence:

https://developercommunity.visualstudio.com/t/support-non-rsa-keys-for-ssh-authentication/365980
https://developercommunity.visualstudio.com/t/11032779

And Microsoft has nothing to say besides vague "we've routed your
feedback to the appropriate product team".

There's more information on the warning at OpenSSH's docs page:

https://www.openssh.org/pq.html
---
 sam/configuration.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sam/configuration.nix b/sam/configuration.nix
index 9a5069e..45b1bbe 100644
--- a/sam/configuration.nix
+++ b/sam/configuration.nix
@@ -222,6 +222,7 @@
     programs.ssh = {
       enable = true;
       matchBlocks."*".addKeysToAgent = "yes";
+      matchBlocks."ssh.dev.azure.com".extraOptions.WarnWeakCrypto = "no-pq-kex";
       includes = [
         "config.d/*"
       ];