Post-quantum crypto entering real infrastructure
OpenSSH 10.4 shipped with post-quantum key support, specifically composite ML-DSA 44 and Ed25519, though not enabled by default. The thread noted it took almost three years for the last post-quantum addition (key agreement in 2019) to become the default, which gives you a sense of how long it takes for new cryptographic primitives to move from 'available' to 'standard.'
The pattern here is that post-quantum cryptography is no longer theoretical or experimental. It is landing in production tools that run on hundreds of millions of machines. The question now is not whether to care about it, but when your threat model requires you to enable it.
Commenters raised the old defaults question, asking whether weaker algorithms like hmac-sha1 and umac-64 are still enabled. The answer matters for anyone doing security audits, because the presence of new strong defaults does not automatically retire the old weak ones.
So what?
If you operate infrastructure that needs long-term security guarantees, or if you handle data that adversaries might harvest now and decrypt later, the timeline for enabling post-quantum defaults has shortened. Start tracking which of your dependencies support these algorithms and when you can realistically migrate.