PQLensGuides › Inventory your SSH host keys
100% local · nothing leaves your machine

Inventory your SSH host keys

Every SSH server announces its host-key algorithm to anyone who connects — before authentication. PQLens reads exactly that, so your fleet goes in the inventory without credentials or a login attempt.

pqlens scan ssh git.example.com bastion.example.com
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. List your SSH hosts (or host:port) after pqlens scan ssh.
  2. PQLens opens a connection only as far as the key exchange and records the host-key algorithm each server presents — it never authenticates.
  3. Ed25519 and ECDSA host keys are classified quantum-vulnerable (normal today); anything RSA-1024 or DSA-era is flagged broken / deprecated.
  4. Results merge into the same inventory as every other surface.

Why SSH belongs in a cryptographic inventory

SSH host keys are long-lived production cryptography that almost never appears in anyone’s inventory — they were generated when the box was provisioned and forgotten. A fleet still presenting ssh-rsa with small keys, or DSA keys from a 2012 image, is exactly the kind of finding PCI DSS 12.3.3 exists to surface.

No credentials, by design

The scan stops before authentication: it reads what the server offers to every client and disconnects. There is nothing to configure, no account to create, and nothing that shows up as a failed login in most default configurations beyond an ordinary dropped connection.

Frequently asked questions

Do I need SSH credentials to scan?

No. The host-key algorithm is presented pre-authentication, to any client that connects. PQLens reads it and disconnects — it never attempts a login.

Is an Ed25519 host key a problem?

Not today. Ed25519 is a modern, well-regarded choice against classical attackers; like all elliptic-curve signatures it is quantum-vulnerable, so it goes in the inventory with that status — nothing more alarming than that.

Will this trip intrusion detection?

It looks like a TCP connection that completes key exchange and leaves — similar to a monitoring probe. If your IDS alerts on that, scan from an allowlisted host.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.