Evaemon
The last infrastructure.
Get started

Post-quantum SSH, built for real deployments

Upgrade SSH authentication for long-term resilience — without replacing OpenSSH.

Evaemon wraps OQS-OpenSSH with an interactive wizard, operational tooling, tests, and documentation. Run a separate sshd side-by-side. Enable hybrid compatibility. Prefer PQ algorithms with safe fallbacks.

Quick start Read security model
Non-invasive (separate sshd) Hybrid mode (classical + PQ) PQ KEX (Kyber hybrid) + fallback Multi-hostkey negotiation 199 tests · 0 failures
Quick start
Clone → wizard → deploy
Linux • Bash 
git clone https://github.com/Yarpii/Evaemon.git
cd Evaemon
sudo bash wizard.sh
Deployment
Side-by-side sshd
Operations
Retry + backoff
Confidence
Test suite
Installation Usage Security

The wizard builds OQS-OpenSSH, configures a separate sshd, and sets up client tooling — without touching system OpenSSH.

Transparent scope. Explicit caveats. Designed for repeatable deployment.

Test suite
199 tests · 0 failures
Authentication
Falcon · ML-DSA · Dilithium · SPHINCS+
Session encryption
Kyber hybrid KEX supported
Compatibility
Hybrid mode + classical fallback

Core features

Built for deployment, operations, and verification — not demos.

View repository →
Non-invasive deployment

Runs a separate sshd process. System OpenSSH remains untouched.

Post-quantum authentication

NIST-selected and candidate signature schemes for host and client keys.

Post-quantum key exchange

Prefer Kyber-based hybrid KEX for session encryption; append classical KEX as fallback.

Hybrid mode

Serve classical (Ed25519/RSA) and PQ keys side-by-side for compatibility.

Multi-algorithm server

Generate and advertise multiple host key types; clients negotiate what they support.

Reliable operations

Retry-with-backoff on TCP checks, handshakes, and rotation verification.

How it works

A side-by-side deployment that keeps your existing OpenSSH intact.

Step 1
Build OQS-OpenSSH

Compile liboqs + OQS-OpenSSH under build/ without touching system binaries.

Step 2
Run a separate sshd

Configure evaemon-sshd as a parallel service with its own config + keys.

Step 3
Operate & verify

Use health checks, monitoring, diagnostics, and tests to validate end-to-end behavior.

Modes

Choose PQ-only for strict posture, or Hybrid for interoperability with standard OpenSSH clients while still preferring PQ algorithms.

PQ-only Hybrid All PQ algos Select PQ algos

Installation

Server + client setup, built around the wizard — with direct CLI equivalents.

Read full installation guide →
Prerequisites

Linux + build toolchain. Root access required for server-side operations.

# Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y git cmake ninja-build gcc make \
  libssl-dev zlib1g-dev autoconf automake libtool pkg-config
Build OQS-OpenSSH

Fetch + compile liboqs and OQS-OpenSSH under build/.

sudo bash build_oqs_openssh.sh
build/bin/ssh -V
Server setup

Wizard → Server mode → configure host keys, sshd_config, systemd service.

sudo bash wizard.sh
# Select: 1 (Server) → Configure Server
sudo systemctl start evaemon-sshd.service
sudo systemctl status evaemon-sshd.service
Client setup

Wizard → Client mode → keygen → copy key → connect (PQ-only or hybrid).

sudo bash wizard.sh
# Select: 2 (Client) → Generate Keys → Copy Key → Connect
Why KEX matters

Setting KexAlgorithms ensures the session key exchange is post-quantum-resistant too — not just the authentication step. client/connect.sh configures this automatically.

Usage

Wizard-driven workflows, with standalone tools for automation.

Read full usage manual →
Common operations

Generate keys, connect, health check, rotate, monitor.

bash client/keygen.sh
bash client/connect.sh
bash client/health_check.sh
bash client/key_rotation.sh
sudo bash server/monitoring.sh
Hybrid connection example

Prefer PQ KEX and host keys, append classical fallbacks for interoperability.

build/bin/ssh \
  -o "KexAlgorithms=ecdh-nistp384-kyber-1024r3-sha384-d00@openquantumsafe.org,...,curve25519-sha256" \
  -o "HostKeyAlgorithms=ssh-falcon1024,ssh-ed25519,rsa-sha2-512,rsa-sha2-256" \
  -o "PubkeyAcceptedKeyTypes=ssh-falcon1024,ssh-ed25519,rsa-sha2-512,rsa-sha2-256" \
  -i ~/.ssh/id_ssh-falcon1024 \
  -p 22 user@server

Security model

Threat model, best practices, and known limitations — documented plainly.

Read full security guide →
What it helps protect against
  • Harvest-now / decrypt-later risk for long-lived credentials.
  • Authentication forgery against classical RSA/ECDSA in a quantum-capable future.
  • Operational drift via repeatable tooling and verification steps.
Important caveats
  • OQS implementations are not yet FIPS-validated.
  • System OpenSSH remains unmodified — harden or firewall it separately to prevent classical fallback paths.
  • Use PQ-only mode to enforce strict posture; Hybrid mode adds classical compatibility for standard clients.
Algorithm guidance (high level)
Recommended
Falcon-1024
Fast verification, compact signatures at high security.
Standard
ML-DSA
NIST standardized signature scheme family (FIPS 204).
Orthogonal
SPHINCS+
Hash-based option with different assumptions (larger signatures).

Tests & verification

Self-contained bash harness with unit + integration coverage.

Unit tests (no OQS binary required)
bash shared/tests/unit_tests/test_validation.sh
bash shared/tests/unit_tests/test_logging.sh
bash shared/tests/unit_tests/test_functions.sh
bash shared/tests/unit_tests/test_backup.sh
bash shared/tests/unit_tests/test_copy_key.sh
bash shared/tests/unit_tests/test_connect.sh
Integration tests (auto-skip when needed)
bash shared/tests/integration_tests/test_keygen.sh
bash shared/tests/integration_tests/test_server.sh
bash shared/tests/integration_tests/test_key_rotation.sh

Full suite: 199 tests, exits 0 on success.

FAQ

Short answers to the questions people ask first.

Does this replace OpenSSH?

No. It runs a separate sshd process so your system OpenSSH is not modified.

Is key exchange post-quantum too?

Yes. Client connections can set KexAlgorithms to prefer Kyber-based post-quantum/hybrid KEX. client/connect.sh configures this automatically.

Is this FIPS validated?

No. OQS/liboqs is not yet FIPS-validated; see the security guide for details.

Can standard SSH clients still connect?

Yes in hybrid mode (with classical fallbacks). Use PQ-only mode to enforce strict posture.

Ready to try it?
Start with the wizard, then follow the docs for hardening and operations.
Quick start Open GitHub