Inventory your SSH host keys
Every SSH server announces its host-key algorithm to anyone who connects — before authentication. PQLens reads exactly that, so your fleet goes in the inventory without credentials or a login attempt.
pqlens scan ssh git.example.com bastion.example.com
How it works
- List your SSH hosts (or
host:port) afterpqlens scan ssh. - PQLens opens a connection only as far as the key exchange and records the host-key algorithm each server presents — it never authenticates.
- Ed25519 and ECDSA host keys are classified quantum-vulnerable (normal today); anything RSA-1024 or DSA-era is flagged broken / deprecated.
- Results merge into the same inventory as every other surface.
Why SSH belongs in a cryptographic inventory
SSH host keys are long-lived production cryptography that almost never appears in anyone’s inventory — they were generated when the box was provisioned and forgotten. A fleet still presenting ssh-rsa with small keys, or DSA keys from a 2012 image, is exactly the kind of finding PCI DSS 12.3.3 exists to surface.
No credentials, by design
The scan stops before authentication: it reads what the server offers to every client and disconnects. There is nothing to configure, no account to create, and nothing that shows up as a failed login in most default configurations beyond an ordinary dropped connection.
Frequently asked questions
Do I need SSH credentials to scan?
No. The host-key algorithm is presented pre-authentication, to any client that connects. PQLens reads it and disconnects — it never attempts a login.
Is an Ed25519 host key a problem?
Not today. Ed25519 is a modern, well-regarded choice against classical attackers; like all elliptic-curve signatures it is quantum-vulnerable, so it goes in the inventory with that status — nothing more alarming than that.
Will this trip intrusion detection?
It looks like a TCP connection that completes key exchange and leaves — similar to a monitoring probe. If your IDS alerts on that, scan from an allowlisted host.